Amazing ideas from that group. Their replacement is to warn me (through mail, app or sms) when TAC / auth codes are requested... well, do same thing when a transfer is requested, it's not that hard.
Exactly --- because a breach/vulnerability can happen
after a TAC is legitimately created, but then is stolen/misused to send a domain name to an attacker.
e.g of just one scenario (there are lots of others). You want to sell EXAMPLE.com to Fred Jones. In the contract, as a safeguard, it specifies that the buyer is going to get the AuthInfo Code (now renamed as TAC) and only use it at GoDaddy, and the seller (current owner) has it at Tucows (e.g. I'm the seller).
At present, I'd get notified (Losing FOA) once the TAC is input at the gaining registrar, to be able to ACK/NACK the transfer. I'd be able to see exactly which gaining registrar was used. If it's not GoDaddy, I would know something is afoot, and reject the transfer on that basis! (all this would happen in real-time on the phone, typically --- I'd get the ACK/NACK email within 20 minutes from Tucows). I would ACK the transfer if I see it is going to GoDaddy.
Now, let's suppose we're in the new proposed system. TAC is generated, and I get a notice of that. But, nothing's wrong at that point, since I wanted it to be generated. But, I give the TAC to the buyer, and instead of inputting the TAC at GoDaddy, it's now used at a Chinese or Russian registrar! (e.g. maybe the buyer got hacked, or an escrow service got hacked, or maybe the buyer is fraudulent, and knowingly wants to take it to another registrar, but plausibly deny that they received the domain) In these scenarios, once the TAC is used, it's game over! The transfer is complete.
Now, they talk about creating a new "undo" system, to reverse transfers. That opens up a whole new can of worms, where you have seller's remorse, or fraudulent misuse of that undo. It would totally disrupt and undermine transactions in the secondary market. It would decrease domain values, as there'd be uncertainty over title (and so one would have to factor in frictions over legal costs to enforce contracts, given the uncertainty over title). This "ETRP" (Expedited Transfer Reversal Policy) proposal was hotly debated over a decade ago, and was rightly rejected (I led the opposition on that, even having to leave that IRTP-B working group after they ignored me, and educating registrants why it was a horrible idea). Bob Mountain and Simonetta Batteiger, among others, were heavily involved to stop this. Now they want to resurrect that idiotic idea? i.e. they literally want to reduce security, to force that rejected "solution" to be required! And the unintended consequences would be severe.
