Inter-registrar or registry 1) Change registrar Automation (“instantaneous”) Internal to registrar 2) Change registrant, with default safeguard to prevent “registrar hopping” NN-day IRT restriction 3) Toggle the “registrar-hopping” safeguard on or off Authorize toggling the post- change lock Policy components Transfer to new registrant Transfer to new registrar Authorize transfer to new registrant Authorize transfer to new registrar

1) Change registrar Automation (“instantaneous”) 2) Change registrant, with default safeguard to prevent “registrar hopping” NN-day IRT restriction Use case Transfer to new registrar Authenticate for transfer to new registrar Transfer to new registrant Authenticate for transfer to new registrant 3) Waive (or reinstate) default “registrar-hopping” safeguard Toggle NN-day IRT restriction Authenticate to toggle the post-change lock

NN-day IRT restriction Automation (“instantaneous”) Transfer to new registrar 4) Change registrar, change registrant, with safeguard to prevent “registrar hopping” 5) Waive “registrar-hopping” safeguard, change registrar, change registrant Use case Authenticate for transfer to new registrar Transfer to new registrant Authenticate for transfer to new registrant Transfer to new registrant Authenticate for transfer to new registrant Remove NN-day IRT restriction Authenticate to toggle the post-change lock Transfer to new registrar

Request to change Registrar Request to change Registrant Request to toggle safeguard Authenticate to Δ Registrar Authenticate to Δ Registrant Authenticate to Toggle Safeguard Registrant (at new registrar) ✔ CASE 1: Change Registrar Note: Registrant information fields need to match in this use case. Present the “Registrant info must match” requirement to the registrant (and validate that it does) at the new registrar. Registrars of record that don’t yet comply with RAA uniform WHOIS access rules will fail this authentication. If registrant wants/needs to change registrant info, they are presented with the option to switch to Case 3 or 4 (depending on lock choice) Authorize Registrar change Authorize Registrant change Authorize toggle of safeguard ✔ Authenticate to Δ Registrar Authenticate to Δ Registrant Authenticate to Toggle Safeguard Registrant (at registrar of record) This falls under current IRTP policy. Mike wants to move his domain from one registrar to another. No other parties involved. Because the Registrant hasn’t changed, Registrant info must remain the same and the “waive safeguard” option is not needed or presented.

CASE 1: Change Registrar Ramifications Current domain-transfer process would need to be changed to add Registrant-info validation [yes] Registrant information would have to be validated between registrars [uniform or thick WHOIS] “registrant” fields will need to be defined [Note: make sure the list is consistent w/uniform-WHOIS] Failure states need to be defined (ie Mikey used different stuff) [transfer fails, present Case 4 or 5] What level? Domain level or account level mapping? [Domain-level – tied to WHOIS data not account] Key – registrant info needs to be shared between registrars – much easier in a thick (or uniform) WHOIS environment than thin. Question: what info actually passes between registrars during xfer and what is the mechanism that is used? [minimal in current thin-WHOIS environment, uniform and Thick-WHOIS offer options] Question: what information does the registrant enter at the new registrar about the incoming domain? [option: Registrant info could be populated from WHOIS] It’s hard to do today – we risk making this harder Our goal should be to make this easier and not raise the barrier to transferring domains between registrars [much of this can be automated] Balance between thwarting bad-guys vs inconveniencing good-guys [again, automation is key] New approach – tie recommendation to the standardized WHOIS language that’s evolving in the RAA negotiations Staggered timing – how to handle Registrars that aren’t under the new agreement [authentication – switch to Case 4 or 5 if they haven’t adopted uniform-WHOIS] Provide development-roadmap information to Registries/Registrars [yes]

✔ Authenticate to Δ Registrant Authenticate to Toggle Safeguard New registrant Request to change Registrar Request to change Registrant Request to toggle safeguard CASE 2: Change Registrant ✔ Authenticate to Δ Registrar Authenticate to Δ Registrant Authenticate to Toggle Safeguard Current registrant Authorize Registrar change Authorize Registrant change Authorize toggle of safeguard Mary (a business owner) wants to buy a domain from Mike for use in her business. She and Mike are using the same registrar. Because she plans to use the name for a long time, and wants to protect it from hijacking, she leaves the safeguard in place.

Current registrant ✔ Request to change Registrant Request to change Registrar Request to toggle safeguard CASE 3: Toggle Safeguard Authenticate to Δ Registrant Current registrant ✔ Authorize Registrant change Authorize Registrar change Authorize toggle of safeguard Susan (a domain investor) wants waive the safeguard in anticipation of a future transaction. Alternatively, she wishes to reinstate the safeguard when an anticipated transfer does not happen. Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Toggle Safeguard Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Toggle Safeguard Note: Authentication to toggle the safeguard would need to be very rigorous (preferably out of band, using information that is hard for hijackers to acquire).

Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Waive Safeguard New registrant ✔ ✔ Request to change Registrant Request to change Registrar Request to toggle safeguard CASE 4: Change Registrant AND Registrar ✔ Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Waive Safeguard Current registrant ✔ Authorize Registrant change Authorize Registrar change Authorize toggle of safeguard Ann (an individual) wants to buy a domain from Mike for use for her blog. She and Mike are NOT using the same registrar. Because she plans to use the name for a long time, and wants to protect it from hijacking, she leaves the safeguard in place.

Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Waive Safeguard New registrant ✔ ✔ ✔ Request to change Registrant Request to change Registrar Request to waive safeguard CASE 5: Change Registrant and Registrar and Waive Safeguard Note: Authentication to waive the safeguard would need to be very rigorous (preferably out of band, using information that is hard for hijackers to acquire) and agreed to by both parties. ✔ Authenticate to Δ Registrant Authenticate to Δ Registrar Authenticate to Waive Safeguard Current registrant ✔ ✔ Authorize Registrant change Authorize Registrar change Authorize waiver of safeguard Susan (a domain investor) wants to buy a domain asset from Mike. She and Mike are NOT using the same registrar. Because she wants the flexibility to sell the name, and has sophisticated anti-hijacking of her own, she waives the safeguard.