Icann states only that the onus to prove authorization for a transfer is on the registrar.
There are two (basic) ways to do this 1) We can allow you to request a transfer via an electronic method, and then provide some mechanism to have you prove this to the registrar. This can be done by sending an email to the current administrative contact (as an example) 2) We can allow you to request a transfer via a paper method, which lends itself to a form of proof. Notarized letter, fax of all your legal documentation, etc. Method 1 has some potential flaws, but it's consistent, non-country/law specific, and extendible to many requests at once (across various persons/entities) Method 2 is potentially more secure, but does have the same potential for flaws, AND it's highly manual, slow, kills trees, and inconsistent (nor does it lend itself to many requests, etc). The industry started with 1), and for the most part it seems to work. There are exceptions. These exceptions are in the decimal point of single digits (i.e. < 0.1%) of all transfers. Charles Daminato OpenSRS Product Manager Tucows Inc. - [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:owner-discuss-list@;opensrs.org]On Behalf Of Swerve > Sent: October 24, 2002 5:29 PM > To: Herman Hanschke; George Kirikos > Cc: [EMAIL PROTECTED] > Subject: Re: Best Practices for Domain Name Security at OpenSRS > > > Hi folks, > > Can someone explain to me the Icann logic for allowing a non-admin contact > being permitted to initiate a domain transfer? > > Why is anyone permitted to attempt a reg to reg transfer (and ownership > change) of say, Opensrs.Org? > > Ross/Charles/Elliott/others? > > tx, > > Swerve > > > From: Herman Hanschke <[EMAIL PROTECTED]> > > Date: Thu, 24 Oct 2002 16:16:26 -0400 (EDT) > > To: George Kirikos <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > Subject: Re: Best Practices for Domain Name Security at OpenSRS > > > > On Tue, 22 Oct 2002, George Kirikos wrote: > >> Hello, > >> > >> Today I think someone tried to hijack one of my email accounts, > >> possibly to steal a domain name. As far as I can tell, they failed. (I > >> even got a virus email on a related email address at almost the same > >> time, and I don't that is a coincidence). Anyhow, all my domains are > >> now locked (most of the valuable ones were already locked). > >> > >> I'm wondering what other "best practices" people are following in terms > >> of protecting their domains, and perhaps Tucows/OpenSRS might get some > >> valuable input as to possible new features that can be implemented over > >> time, to give peace of mind. > > > > I'm a little paranoid here as well. I watch my nameservers and mail > > servers very closely, since I worry about the following scenario > > happening: > > > > 1) Some jerk hacks into the nameserver belonging to a domain with an > > admin email address, and repoints it elsewhere (probably to his own > > machine). > > 2) Some kind of transfer is initiated. > > > >> What other 'best practices' are folks following, or would like to see, > >> to protect their own domains, and domains of their customers/prospects? > > > > Watch what goes into your logs (sensitive information/etc..), I have my > > log files written to an old non-networked 486 by null-modem cable (best > > version of a "write-only" file that I can think of). > > >
