for those who don't stop by at Slashdot..
Posted by timothy on Wednesday November 10, @12:08AM
from the and-ease-of-use-is-important dept.
Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
Relevent links:

relevent replies from Slashdot post:
Nothing has changed really. This has ALWAYS been the way the system ran, only some registrars choose to ignore it, and setup abusive transfer blocking mechanisms, and called them "Safety" measures for their customers instead of the lock-in attempts they really were. The problem with the old way was that some unscrupulous registrars (NetSol for instance)made it harder to get your domains away from them, forcing you to jump through hoops, and making them harder and harder to accomplish, and then deny them for wrong reasons. The new policy only sets out EXPLICIT rules about what are allowed reasons for a domain transfer to be rejected by the current registrar, and a process by which disputes over transfers will be handled. Other than that, nothing has changed really at all, and any news articles saying otherwise are less than properly informed, and listening to alarmist rhetoric instead of understanding how the system worked until now, and how it will work in the future. As a previous poster pointed out, the best thing to do is to lock your domains with your current registrar, just make sure that they provide an easy means to unlock them when you need to make changes, or when you really do want to go to a new registrar.
That's exactly right. This action was taken by ICANN because some registrars (notably Verisign/Network Solutions) were very uncooperative about transfers of domains out from their registry.

Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.
There are four parties involved in the transfer process:

* The registrant or domain owner;
* The losing registrar;
* The gaining registrar.
* The central registry - central repository of records.

Got that?

Okay, the way a transfer was supposed to work was as follows:

1. The domain owner submits a transfer request to the gaining registrar
2. The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
3. Having received such confirmation, they notify the central registry that the transfer is valid.
4. The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
5. If the losing registrar does not object, the transfer is executed.

(Steps 2 and 4 actually run in parallel, but that's irrelevant.)

The Problem
However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.

One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)

Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.

When one tries to cover ones *** too much, one's hands end up covered in ****.

Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.

The Solution
The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
It does not require the losing registrar to do so, so this is business as usual for the nice registrars.

The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.

What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.

Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.