Hello Chris, Thanks for your response. I would like to note that Melbourne IT has kept auDA informed of its processes, since they were first initiated in July. > > 1. Yes, we would welcome input. > 2. Your point about security of passwords is relevant but it is not > strictly correct to say that the vast majority of passwords > were created > by AUNIC. In reality most of not all passwords were altered to some > degree when AusRegistry took over. Thanks for pointing that out. They were altered with a simple algorithm to ensure they complied with the new password policy in terms of a minimum length (and hence ensured that they worked in the software), and the addition of a letter and number. The AusRegistry domain name password can be directly derived from the AUNIC password by a simple transformation, and thus from a security point of view they are same password. > 3. Your point about security would be more meaningful as a reason for > ALL passwords to be changed - something which auDA would > co-ordinate if > deemed appropriate. Melbourne IT would be happy to work with auDA on that initiative, now that the new systems are more stable. We have been doing this in cases of higher risk on a priority basis, but agree with you that it would be useful if done across the board. This should also be done in conjunction with a coordinated campaign to update the contact details for all domains. We had originally suggested that this be done 6 monthly, but this was rejected by others in the industry on the basis of the cost involved. > It has less effect when what we are > actually taking > about is only altering the passwords of those domain names managed by > resellers where those resellers move to another registrar. Despite the > security label, the practical effect of changing the password > is to make > it more difficult for a transfer to take place. > There should be no effect here. The transfer policy requires the REGISTRANT not the reseller to authorise a transfer. The authorisation is a two step process: (1) request domain name password from registrant to initiate a transfer (2) send a confirmation email to the registrant contact email address in WHOIS In the process undertaken by Melbourne IT the registrant is provided with the updated password, and if they are not contactable, they can retrieve the password directly from Melbourne IT. If you mean that updating the passwords makes it harder to by-pass the authorisation process of the transfer policy then you are correct. We have already detected instances that you have been advised of, where a registrant has not authorised a transfer, but where the reseller initiated the transfer. Regards, Bruce TonkinReceived on Fri Oct 03 2003 - 00:00:00 UTC
This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:06 UTC