Registrars propose changes so that domain name transfers can keep working after GDPR

The Contracted Party House (CPH) Tech-Ops committee made a proposal to ICANN so that we can preserve the ability to transfer domain names between registrars.

This is critical to maintaining a positive experience for registrants.

After 25 May 2018, gaining registrars will not have the ability to pull the registrant email or a proxy from the public WHOIS output; data will not be available from losing registrar or registry on a consistent basis.

Registrars remain convinced that the proposed interim transfer process that relies on the authorisation code as the authorisation mechanism is the only viable option if we want a consistent approach to the inter-registrar transfer policy (IRTP) to remain after 25 May 2018.

The updated proposal sent on May 1 is summarised as follows:

  • Transfers will continue to require a valid authorisation code;
  • The gaining registrar will no longer be required to send a Form of Authorisation (FOA) to the registrant;
  • The losing registrar will continue to send an FOA that allows the registrant or admin contact to ACK or NACK the transfer;
  • If no action is taken, the transfer will auto-ACK after five days from initiation of transfer;
  • Registration information will not be transferred as part of the IRTP, registrants will independently re-enter transfer information with the gaining registrar, including completing the required verification steps specified in the Registrar Accreditation Agreement.

The current transfer process which requires both FOAs was developed before authorisation codes were used consistently across registrars.
The FOA was a legacy mechanism that was codified in policy before authorisation codes were consistently implemented across registries. The transfer process has since evolved to require use of the authorisation code, retrieved either through the registrar’s console or upon request. The FOA requirement outweighs the benefit provided by the FOA in terms of preventing hijacking.

The gaining registrar FOA provides negligible protection in the context of a domain transfer.
With the other mechanisms in place, the gaining registrar FOA provides negligible additional protection. It is equally susceptible to compromise as other mechanisms in place and does not meaningfully alter the risks associated of fraudulent transfers. The more meaningful factor here is the extent to which registrars have implemented secure systems that conform to best practices, such as those set in SAC074 and SAC044. As evidence of this, numerous ccTLDs currently maintain transfer processes that rely solely upon the authorisation code and are not subject to systematic abuse.

Registrars seldom rely upon the gaining registrar FOA in the context of a transfer dispute.
​Another hypothetical benefit of the transfer process would be to provide additional documentation of transfer that could be used in a dispute. The CPH Tech-Ops committee discussed the issue amongst its membership and found that in only an extremely small share of cases is the gaining registrar FOA even used as evidence in reviewing whether a transfer was legitimate. Other information such as domain history, log files, and billing changes, paired with collaboration across registrars, are much more useful in resolving transfer disputes.

As the parties primarily responsible for providing registrants a seamless and trusted transfer process, as well as resolving transfer disputes, registrars are highly incentivised to design a transfer system that maintains and even improves upon the transfer process today. We believe that the proposal satisfactorily maintains fluidity, consistency, and security in the transfer process, but should take this as an opportunity to explore through policy whether better mechanisms or principles exist to realise our shared goals.

Many Contracted Parties have already started to develop and implement transfer solutions. Expedient action by ICANN to formally and publicly endorse this proposed course is in the
shared interest of ICANN, registrars, and registrants to preserve consistency, fluidity, and security in the transfer process.

The letter to ICANN was send by Tobias Sattler, Co-Chair, CPH TechOps and Vice Chair, RrSG (Registrar Stakeholder Group).


About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the blog in 2012.


  1. You can trust bureaucrats to make your life harder.

  2. This is what I said earlier.
    If you have the auth code, you should be able to transfer the domain – the E-mails are pointless.
    A good number of ccTLDs require nothing else than a valid auth code.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.