RE: <authInfo> in Transfer Query for Domain and Contact

["Liu, Hong" <Hong.Liu@neustar.biz>]

Scott,

Sorry for getting back to you late. Yes, the <poll> mechanism is one way to
get the losing registrar notified of the result. But should that be the only
way? I guess this is really up to the registry to decide. As pointed out by
Ross Radar in another related issue [1], the protocol should provide the
mechanism for policy enforcement, but not the enforcement itself. Here, the
protocol excludes the possibility for losing registrars to inspect completed
transfer results. If a registry wants to provide such service, it has to
allow transfer query with invalid <authInfo> but from the last losing
registry to go through. To me, this is a more serious violation to the
protocol semantics than just allowing <authInfo> to be optional.

Maybe I should suggest some text regarding what I would like to see changes.
In the schema, the <authInfo> element should be OPTIONAL. However, the
following text may be included to clarify its use:
 
"The use of <authInfo> is mandatory for all transfer related operations
except for query. The server MUST reject any transfer related operation with
invalid <authInfo>. The server MAY accept a transfer query from the last
losing registrar if <authInfo> is not present."

What do you think?

--Hong

[1] http://www.cafax.se/ietf-provreg/maillist/2002-01/msg00058.html

-----Original Message-----
From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com]
Sent: Friday, October 11, 2002 8:14 PM
To: 'Liu, Hong'; 'ietf-provreg@cafax.se'
Subject: RE: <authInfo> in Transfer Query for Domain and Contact


> I have a question about <authInfo> being mandatory for the <transfer>
> command. I understand that it was added into EPP-06 [1] based on the
> "spying" issue raised by Dan Manley [2]. I also feel that 
> this parameter
> should be mandatory for the other four operations related to 
> <transfer>,
> i.e., request, cancel, reject and approve.
> 
> However, there is a special case where it is helpful NOT to 
> make <authInfo>
> manadatory. The scenario is the following: domain abc.tld is 
> transferred
> from Registrar A to Registrar B. During the transfer pending 
> period, both A
> and B share the knowledge of the same <authInfo> of abc.tld. 
> However, after
> the transfer is completed successfully, Registrar B may change the
> <authInfo> (for security reasons or at the request of the registrar of
> abc.tld). Once that happens, Registrar B will not be able to see the
> transfer result of abc.tld anymore...However, GRRP 
> Requirements (RFC 3375)
> requires that (page 10):
> 
> [8] The protocol MUST provide services that allow both the original
> sponsoring registrar and the potential new registrar to 
> monitor the status
> of both pending and completed transfer requests. 
> 
> The same problem exists for <authInfo> being mandatory for 
> contact transfer.
> 
> Do you think this is a problem in the EPP domain and contact 
> specs that
> needs to be fixed? Thanks!

Actually, no, I don't think it's a problem.  While the losing client can't
track the status via the <transfer> query after the authInfo gets changed,
they are informed of the completion of the transfer via queued and polled
messages -- so we have the requirement met.

-Scott-