To:
"'Liu, Hong'" <Hong.Liu@neustar.biz>, "'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Fri, 11 Oct 2002 20:14:22 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: <authInfo> in Transfer Query for Domain and Contact
> I have a question about <authInfo> being mandatory for the <transfer> > command. I understand that it was added into EPP-06 [1] based on the > "spying" issue raised by Dan Manley [2]. I also feel that > this parameter > should be mandatory for the other four operations related to > <transfer>, > i.e., request, cancel, reject and approve. > > However, there is a special case where it is helpful NOT to > make <authInfo> > manadatory. The scenario is the following: domain abc.tld is > transferred > from Registrar A to Registrar B. During the transfer pending > period, both A > and B share the knowledge of the same <authInfo> of abc.tld. > However, after > the transfer is completed successfully, Registrar B may change the > <authInfo> (for security reasons or at the request of the registrar of > abc.tld). Once that happens, Registrar B will not be able to see the > transfer result of abc.tld anymore...However, GRRP > Requirements (RFC 3375) > requires that (page 10): > > [8] The protocol MUST provide services that allow both the original > sponsoring registrar and the potential new registrar to > monitor the status > of both pending and completed transfer requests. > > The same problem exists for <authInfo> being mandatory for > contact transfer. > > Do you think this is a problem in the EPP domain and contact > specs that > needs to be fixed? Thanks! Actually, no, I don't think it's a problem. While the losing client can't track the status via the <transfer> query after the authInfo gets changed, they are informed of the completion of the transfer via queued and polled messages -- so we have the requirement met. -Scott-