2022-07-26 Transfer Policy Review PDP WG Call

After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table.
By Monday, 01 August: WG members to complete the spreadsheet/table.
By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC.

Notes:

Transfer Policy Review Phase 1(b) - Meeting #55

Proposed Agenda

26 July 2022

Roll Call & SOI updates

2. Welcome and Chair Updates

3. Detailed Analysis of CoR Triggers and Actions – Present and Future

See: https://docs.google.com/spreadsheets/d/1eB3cowSoEp4ERoqQmlc3hc5dpV4g5NzP/edit?usp=sharing&ouid=106429012576252349565&rtpof=true&sd=true [docs.google.com]

Introduction:

Possible proposed approach.
If we look at the inter-registrant policy – back in the day the IRTP-C/-D had the “luxury” of starting from scratch, but we don’t have that.
Because we have an existing policy, even if there is full consensus to get rid of the policy we still have to provide a rationale.
We do have the ability to ask ourselves: would the change of registrant policy be developed the way it is taking into account the TAC only being revealed on request, and if there was a post-transfer restriction (30 or 60 days), would that have addressed the problems the CoR policy was trying to overcome.
We also realize that we don’t have any data to work with, so we have to proceed with a systematic analysis, hence the table.
Current policy – two key components: Trigger of Section C, Change of Registrant – we will be analyzing the trigger and then the possible actions in response. See: https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en.
Table to aid analysis: These are sample responses, not meant to be staff positions.
Triggers are the first column on the left. Dissecting each of the triggers in isolation.
Trying to draw solid lines around key components of the policy as they exist today.
First one: looking at rows 4-5 – is that particular transaction legitimate or illegitimate. We will get into whether it’s possible to distinguish that.
Second line: columns F-G – possible action with the understanding that there is no intention to move to another registrar.
Moving to H-I – in connection with a change of ownership. So not just a change in contact information. Challenging because some of these triggers may have an action before that potential change.
Looking at J-K – inter-registrant change with intent to change registrars: could leverage Phase 1A recommendations.
Column L – Outcomes: substance for further recommendations.
In summary: 1) what are the triggers and actions, 2) what are the impacts on the market, 3) what are the outcomes.

Discussion:

Previously we didn’t have much information, such as with two-factor authentication (TFA), to go on. Now we see that larger registrars are using TFA, but not sure about smaller registrars. Those data points are available. That could be a good start.
Good point because we always look at how the landscape has changed. Good to know that TFA is very well used throughout the industry.

Deeper dive into the example (Emily):

We start with triggers and the first use case is a prior registrant name change – II.A.1.1.1 Prior Registrant name + II.A.1.3.1 A change to the Registered Name Holder's name or organization that does not appear to be merely a typographical correction
Helpful distinction is that we want to be weighing the impact on everyday users and on malicious uses – does this action mitigate malicious actions but also what is the impact on users?
Probably will not be able to tell if a trigger is illegitimate or not.
More relevant in some cases or others, whether you can distinguish a typographical correction.
Important to note the intent might be hard or impossible to know, when we look at the action later on would be important.
The other thing that is tricky is the concept of “change of control”. This term is the genesis of where this all came from, but it doesn’t have a clear definition. Regardless of how you define it, we can consider whether it matters whether change of control is happening or not.
Looking at columns F & G – simplest case: Remains w/ Registrar & No Change of Control
- Are the actions fit for purpose? Risk are lower. Current policy language makes it hard to tell when certain updates trigger additional requirements.
- Replace confirmation with notification; eliminate the 60-day lock.
Columns H & I: In close proximity to or as part of change of control
Columns J & K: Followed by inter-registrar transfer
Column L: Possible recommendations and rationale

Discussion:

Good to go into the example of malicious actions and impacts.
Next steps: Does this group want to go through this on a call, or fill out the table separately and staff can compile to discuss on a call? Is it easier to go horizontally through the table?
If we do this offline: At some point we need to go through this to produce the rationale? At the end of the day we should go through it anyway. Answer: Even if we complete it offline we’ll still walk through the responses on a call and by doing so we are answering the charter questions.
Let’s plan to do this as a homework assignment and then staff can compile and eliminate duplications; also can more easily focus on areas of agreement.

Timeline/Next Steps:

We have two more calls before the summer pause.
Need feedback from the WG on what is feasible.
Can team up with a “buddy” to work on it, but want to get different perspectives.
Can the WG have responses (or partial responses) by end of day next Monday, 01 August for staff to compile for discussion next Tuesday?

HOMEWORK/ACTION ITEMS:

After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table.
By Monday, 01 August: WG members to complete the spreadsheet/table.
By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC.

4. AOB

Next session: Tuesday 2 August at 16:00 UTC