Quoting "Ross Wm. Rader" <[EMAIL PROTECTED]>:
As Elliot pointed out to me on Friday, all rules favor thieves. Rules constrain those that are inclined to follow rules which empowers those that don't.
That's why you need inviolable mechanisms, not rules.
These are semantics that wouldn't address the core problem.
For instance, confirmation should never pass through a registrar or reseller -- only direct from user to registry.
The issue here isn't bad transfer policy, lax confirmation rules or poor practices in place at this reseller or that registrar.
There is a fundamental flaw in registry security policy. RRP policy allows me to make my own assertions without any checks or balances to correct inappropriate assertions.
In other words, anyone can pretend to be me with very little trouble. Anyone pretending to be me is totally trusted by the registry with no secondary checks. Anyone pretending to be me has the same access to registry resources that I do.
The basic RRP registrant identity model is a very basic construct that Verisign inherited from Network Solutions, whose implementation dated back to when they took over the .com contract from GSI. It is high time that the community started holding our steward accountable for these deficiencies and ensured that these flaws are fixed.
Oddly, the timing to fix these problems couldn't be more perfect.
-- Regards,
-rwr
"In the modern world the intelligence of public opinion is the one indispensable condition for social progress."
- Charles W. Eliot (1834 - 1926)
