Here's another change that took me by surprise: In the RWI we now have the option to send the username/password to the owner contact.
I don't disagree that the owner contact has the right to modify the registration record. After all they are the owner. But this change could have unintended security consequences. Assume, for example, that party A is the admin contact for, but not the reseller for, domain names owned by parties B and C. For easier management, party A has put the domain names in the same profile. In the past this was somewhat safe because only the admin contact could obtain the username and password. Now, assume party B contacts the reseller listed in the whois to obtain the username and password for his domain, and the reseller sends it to him. He logs in, and now can modify party C's domain name. This scenario could easily be prevented if party A knew it wasn't safe to combine domain names of different owners into the same profile. But the fact that this is a new change to the way things have been done in the past means party A may never find out about it. There are two points to my post: 1. Resellers, be aware of the change and take appropriate precautions, and 2. Where are all these unannounced changes coming from? Let us know when you change something, okay? (I'll apologize if you did and I just missed it.)
