At 4/26/01 5:24 AM, William X. Walsh wrote:
>OpenSRS has obligations to the end user, regardless of how you cut it.
>They have done a great job balancing that, but there are some people
>who think that they should have all of the rights and privileges of
>fully accredited registrars, and the same type of relationship between
>customer and registrar, by simply being a reseller of another
>registrar.
>
>You can draw all the analogies you want, the ICANN Accreditation
>agreements make this relationship between the three parties an
>absolutely unique one.
>
>Some companies are more willing to be overly loose in viewing their
>obligations to domain holders.
Hmmm. When this has been discussed to death in the past, it has often
ended with someone from OpenSRS suggesting that if the reseller cares
about this, he or she could set up a system that either records the
end-user passwords, or inserts an intermediate system that allows only
the reseller to know the true password.
So OpenSRS has actually encouraged some resellers to take full control of
the domains (and many have done so; it allows you to provide much greater
support to your end-users, especially if they are hosting customers) --
but they aren't directly offering this functionality themselves.
The only reason I can think of that OpenSRS would encourage resellers to
do this, but refuse to offer it themselves due to policy reasons, is so
that if something goes wrong (such as a domain hijack by an Evil
Reseller), they can blame the reseller and say "Our system doesn't
normally allow you to do that. The guy was stealing people's passwords!
We're shocked -- shocked -- to find that anyone would do such a thing".
I understand the rationale, but it's basically just a cover-your-ass
move. It allows OpenSRS to say they haven't provided a method to allow
Evil Resellers to hijack a domain, even though there's actually nothing
to prevent it from happening in the real world. (Surely if you actually
are an Evil Reseller, you'll add the three lines of code that allows you
to capture end-user passwords; it would take all of five minutes.)
The end result is that the honest resellers have to suffer (either by not
being able to help customers as much as they'd like, or modifying the
scripts to capture/manipulate passwords) so that OpenSRS can pretend the
system is more secure.
I also have done stupid things to make lawyers happy; it's a hazard of
this modern world, and I don't really blame OpenSRS. But when otherwise
smart people such as William act as if this "let's pretend it's secure so
we can't be blamed if it goes wrong" charade actually makes OpenSRS more
secure than other registrars that support resellers...
>As a domain holder, I find that to be a reason NOT to do business with
>that registrar, and to recommend to people that they not register
>names with resellers of that registrar.
... I have to wonder what you're all smoking.
Evil OpenSRS resellers could trivially hijack a domain despite OpenSRS's
policy not to give resellers full control. If it happened, OpenSRS (and
other registrars involved if the domain was transferred away) would
presumably restore the domain to the correct person and
terminate/prosecute the Evil Reseller; it would be annoying and a
scandal, but not the end of the world.
Thinking about it, the reseller system other registrars have (where the
reseller can make any change to a domain) may actually be MORE secure
than the OpenSRS system.
With OpenSRS, if an Evil Reseller captures the password and makes
changes, OpenSRS has no way to tell that the end user didn't make that
change. With the other registrars' systems, it's (at least theoretically)
possible for the registrar to record that the change was made by the
reseller, not the end-user. If the end-user later complains that his or
her domain was stolen via reseller changes, there's an audit trail
showing who did what, making it potentially easier to reverse the
unauthorized changes.
--
Robert L Mathews, Tiger Technologies
