To:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
Daniel Manley <dmanley@tucows.com>
Date:
Fri, 23 Nov 2001 10:40:38 -0500
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012
Subject:
auth_info for transfer query command
I just sunk in a couple of days ago that the transfer query command doesn't require the object's auth_info. I'm thinking that it should -- or at least the command should be flexible enough to validate the auth_info if it is provided. I know that the truth is told in the transfer request command, but practically speaking, I think many registrars (of which OpenSRS is one) will want to validate the auth_info with the registry before really issuing the transfer request. This is mostly due to ICANN requirements (?) of transfers being asynchronous events: for example, registrant requests with the registrar, registrant is asked for confirmation via email with use of whois, registrar screens/reviews periodic transfers for anything out of the ordinary. It would be a shame to go through all the motions just to find out at the end that the auth_info was bogus. What does everyone think -- especially registrars using EPP now? Also without the auth_info being required for transfer query, this allows registrars not involved in the transfer to "spy" on others' activities. Is this ok? Dan