The *gaining* registrar *MUST* get explicit approval from the registrant. IIRC, they must do so NOT by using the email that's provided during the transfer, but that which is currently associated with the WHOIS record.
The *losing* registrar *MUST* (according to the agreements with ICANN) allow the transfer to go through unobstructed. Now, granted, some other registrars (who shall remain nameless, but their initials are Network Solutions and Register.com) have elected to ignore this particular clause in the agreement. ICANN has proven spectacularly impotent in dealing with it. That doesn't change the fact that OpenSRS's system is set up in accordance with the rules of the game. I think it's important to point out to your customers that the gaining registrar has the obligation to obtain consent for the transfer. Many people misunderstand the nature of the approval process and assume that the OSRS auth request is the only request that's sent. That's simply not true. It's only done as a courtesy. Regards, Eric Longman Atl-Connect Internet Services +-------------------------------------------------------+ | Atl-Connect Internet Services http://www.atlcon.net | | 3600 Dallas Hwy Ste 230-288 770 590-0888 | | Marietta, GA 30064-1685 [EMAIL PROTECTED] | +-------------------------------------------------------+ ----- Original Message ----- From: "ST" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 28, 2001 7:54 AM Subject: away transfer verification I know this is a touchy subject which has been discussed a lot on this list. However, feedback from my customers has led me to think that away transfers should not go through if the admin contact does not respond to the verification instructions. Someone tried to transfer one of my customers domains on Christmas day. I assume they timed it hoping the real owner would miss the verification because of the holiday. Even when he did read the e-mail he wasn't sure if it was real or not, and didn't deny the transfer until I told him to. Had he not denied the transfer, he would have lost the domain, from what I understand. Here is what he had to say about it: <snip> PLEASE, tell me this is bogus! If you, in fact, do allow for a domain name transfer without EXPLICIT APPROVAL from the registrant, I will be transferring all my domains to a more secure registrar immediately. </snip> It might also be a good idea for OpenSRS to review all transfers that were not acknowledged by the admin contact during this holiday break. It just seems to easy to steal a domain if you know an office will be closed for a week. ST
