From: Bruce Tonkin 
Sent: Wednesday, 31 August 2005 6:41 PM
To: jo.lim@auda.org.au
Cc: Gideon Culican; Jan Webster
Subject: Domain Name Password Policy

Hello Jo,

I note that when the term "Domain Name Password" was chosen, it was envisaged that 
this would be the main password used by a registrant to manage their domain name.

The common implementation of passwords in the domain name industry (both overseas 
and Australia) is the following:

(1) the use of a customer username and password.  Typically this gives the customer 
access to all their domain names, email services, and web hosting services.  
Melbourne IT calls this a "MyAccount password".

(2) a per domain name password.  Typically this is used within a registrars system to 
authenticate moves from one customer account to another, or one reseller account to 
another.   Melbourne IT calls this a "Registry Key", and this is usually not exposed 
to new customers.

(3) an EPP authInfo password (see IETF RFC 3731).  Typically this is used within a 
registry system to authenticate moves from one registrar to another registrar.

I recommend that auDA consider renaming "Domain Name Password" to "authInfo password 
for authorising changes of auDA registrar".

ICANN has recently carried out a review of domain name security in the context of the 
growth of domain name hijacking.

From: http://www.icann.org/committees/security/sac007.htm 

"Registrant identity verification used in a number of registrar business processes is 
not sufficient to detect and prevent fraud, misrepresentation, and impersonation of 
registrants.

ICANN Policy on Transfer of Registrations between Registrars specifies that "consent 
from an individual or entity that has an email address matching the Transfer Contact 
email address" is an acceptable form of identity. Transfer Contact email addresses are 
often accessible via the Whois service and have been used to impersonate registrants. 

Publishing registrant email addresses and contact information contributes to domain 
name hijacking and registrant impersonation. Hijacking incidents described in this 
report illustrate how attackers target a domain by gathering contact information using 
Whois services and by registering expired domains used by administrative contacts."


I recommend that:

(1) Passwords not be sent to publicly available registrant email addresses from a process 
outside of a registrar (e.g via the registry or auDA websites).   Whenever a registrar 
receives a request to send a password to the default email address, the registrar should 
also inform the registrant via other contact means (e.g fax, alternative email address, 
phone call etc) that a request has been received for the password and the password 
dispatched to the default email address.  This ensures that if the email address has 
been compromised, that a registrant has a chance to be informed that someone is 
attempting to gain control of their domain.

(2) With respect to section 4.3 of the domain name password policy, there has been an 
increase in "fax" fraud whereby a person falsely signs a document claiming to be the 
registrant.  I agree with Brett Fenton that this should be tightened up, with a requirement 
that signed written documents be notarized (under Australian law), and originals be provided.

Regards,
Bruce Tonkin