security Push system for domain name transfers already in place for .co.uk!

[GeorgeK]

(with thanks to @Acroplex) The kind of “push” system for domain name transfers that I’ve been advocating for more than 2 years at ICANN is LIVE for .co.uk! There’s no excuse now for ICANN not to adopt this, at least as a pilot project, for gTLD domain names.

https://freespeech.com/2024/10/05/push-system-for-domain-name-transfers-already-in-place-for-co-uk/

 

[othellotech]

(with thanks to @Acroplex) The kind of “push” system for domain name transfers that I’ve been advocating for more than 2 years at ICANN is LIVE for .co.uk! There’s no excuse now for ICANN not to adopt this, at least as a pilot project, for gTLD domain names.

https://freespeech.com/2024/10/05/push-system-for-domain-name-transfers-already-in-place-for-co-uk/

After 25 years of having the IPS-TAG transfer method, Nominet are dropping it and in the process of moving to the gTLD ICANN process.

Whilst there are a few other ccTLDs that allow it and some subdomain psuedo-TLDs that allow both methods, I'm aware of a coulle of cctlds watching the .uk change before going the same way themselves.

 

[GeorgeK]

After 25 years of having the IPS-TAG transfer method, Nominet are dropping it and in the process of moving to the gTLD ICANN process.

Whilst there are a few other ccTLDs that allow it and some subdomain psuedo-TLDs that allow both methods, I'm aware of a coulle of cctlds watching the .uk change before going the same way themselves.

According to:

https://registrars.nominet.uk/wp-co...ter-Registrar-Transfer-Process-March-2023.pdf

the reason they apparently didn't like their "push" system is:

If a registrar accepts a domain onto their TAG/accreditation, then it is both possible and not uncommon thatthey cannot match up the incoming domain with an expected user in their system. This means the domainsits in-limbo at the registrar until the registrant identifies themselves by submitting the request to the newregistrar. While not common, a third party can then contact the new registrar and may be able to interceptthe domain in this scenario.

My approach, documented in my submissions to ICANN, is that the registrant gets a token at the gaining registrar first:

https://freespeech.com/wp-content/uploads/2022/08/LEAP-comments-Transfers-Phase1a-20220814-FINAL.pdf

(see section E starting on page 11) which specifically identifies where the domain name is going at the gaining registrar (just like a wire transfer would have a destination bank account, transit, account holder, etc.). So, my approach completely resolves that issue. Furthermore, that token is for a specific domain name [although it could be extended to a group of domains very easily] (not just to accept any inbound transfer, otherwise malicious people might transfer unwanted domains to a victim, e.g. domains associated with crime, etc.).

Registrars/registries should have thought about the problem more deeply, rather than simply revert to ICANN's poor model for transfers.

 

[othellotech]

That 'problem' exists because of registrar choice.

The tag transfer process already includes the option to need to accept the domain onto your tag, which forces the registrant to have 'prepared' the new tag holder accordingly

All moot as shifting to the epp-pull from push is happening regardless of the wishrs of the majority of tsg holders.