Hello, --- William X Walsh <[EMAIL PROTECTED]> wrote: > Wednesday, Wednesday, January 23, 2002, 2:00:26 PM, Scott Allan > wrote: > > > I like your security suggestions - I have had similar thoughts > myself > > often. I am pretty sure we could not force this on everyone (or > anyone for > > that matter...). This could be implemented at the RSP level, and be > a > > distinctive selling point. We could also implement an optional > opt-in > > "challenge" system, which is a decent idea. Would people pay extra > for it? > > (not that we would *have* to charge for it). > > I uyse challenge systems in all the membership/control panel type > systems I develop. It really is one of the best ways to handle this > issue. I also agree with it being voluntary to the end user.
I'm for higher security as well. I was playing with WHOIS and noticed that some really big companies have moved their domains to OpenSRS (for instance, EDS.com, GM.com -- what's good for GM is good for America was a saying not long ago..., BMO.com -- a large Canadian bank). If one of those names was hijacked, it would be bad PR. Having Registrar lock would be one way to avoid transfers (although, this is still susceptible to people getting the password). Another way to have a challenge system might be to send a PIN number via snail mail, to add a layer of security to a profile. That is how some of the better online casinos, for instance, make sure that they are dealing with real people. Perhaps even having a voice-system, where one can call a number and enter a PIN to verify a change. With toll-free lines, one can know who is calling (and now there's international toll-free, too), and maybe pre-specify only certain phone numbers as being able to be used for verification. Perhaps another method would be to have secondary emails, that are notified of any change in a profile/domain. If one automatically sends notifications to servers on two different email systems, it'd be hard for a malevolent hacker to hijack both. Another option might involve making some kinds of database changes take longer, instead of being instantaneous. E.g. kind of like a "scheduled change", with a user-specified delay (and notifications of the changes, to 2 emails). For example, I might want DNS changes to only take effect after 3 days (thus making an attempted hijacking evident via the emails). Or, maybe I'd want a 14 day delay in changing the administrative email (that should rarely change for most of my domains, unless there was a domain sale). Of course, if I really did want to make certain changes, I'd have to live with the fact that I'd need to do them earlier, and plan ahead accordingly. E.g. if one is switching web hosts, and needs to change nameservers, one would plan accordingly, and a 3-day delay wouldn't hurt. For a change in physical address of a contact, for most companies that is planned well in advanced, by months. Now that I think of it, probably the folks at Entrust (or even Certicom, which is in Toronto) would have better ideas, since that's their entire business. Issuing digital certificates for clients, just like banks do, would probably be a good solution. Those certificates might cost on the order of $8 to $20 wholesale, which isn't that much if spread over 100+ domains in a profile. Network Solutions used to (maybe still does) have PGP signed mailed for authentication, although I'm sure now that they have access to Verisign/RSA security, they could do digital certificates too (i.e. client-side). As for paying extra, I'd pay a little more, or perhaps it could be on a per profile basis, instead of a per domain basis (since the costs might be more on a per-profile basis). Or, maybe those with more than X domains can get it free. Perhaps paying extra lets one enter "Advanced Mode", which has all the features in the current interface, plus a few other bells and whistles. Sincerely, George Kirikos http://www.kirikos.com/ __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
