From:           Don Stokes, Knossos Networks Ltd (OnNetworks)
Received:     4 July 2014

I am a concerned at the current proposal to alter the UDAI functionality on the NZ SRS at: https://dnc.org.nz/story/policy-consultation-changes-udais-registering-managing-and-cancelling-transfer-another-registr

I was a member of the "Hine Commission" in 2000 that recommended the current SRS model, and in this process we did some research into the nature of domain transfers between service providers. Our finding at the time was, unsurprisingly in hindsight, that the vast majority of these were "hostile", i.e. the customer did not engage the incumbent provider when moving a domain name to a new provider.

This research was the basis for our recommendation that a "registrant authentication field" (RAF) be provided, to provide a provider-independent means of authenticating changes to a domain's registration; the RAF became the basis for the UDAI in the current SRS.

Note that this field was intended to supersede the "domain key" originally issued with a domain under the old Waikato University registration system. The change that was made between the previous key and the definition of the RAF is that the RAF was assumed to apply to the current registration only; if a domain was transferred, a new RAF would be issued by the new registrar.

While we did not specifically state that the RAF was to be a permanent password, it was not envisioned that this field would change or become unavailable without notice during the normal life of a domain registration. Rather, the RAF could be held by the registrant so that they could transfer the domain to a new registrar at any time without requiring recourse to either the incumbent registrar or the registry.

The proposed 30 day expiry breaks that assumption. This will mean that:
•           Holders of existing UDAIs will not know that they can no longer use those UDAIs to transfer their domains;
•           Registrants will need to access incumbent registrars (possibly in the absence of registrar administrative authentication, as access to administrative systems are not specifically protected under the registration agreements), whereas if they do hold a UDAI, such access is not required.
•           In particular, a long-held UDAI may be more persistent than specific access to a registrar's current systems; in this case the registrant may have difficulty authenticating themselves with the incumbent registrar to effect a registration change.
•           By requiring that a UDAI be requested within 30 days of use, a registrant is forced to telegraph to their incumbent registrar their intention to change their registration.
•           A risk is introduced to registrants that that having obtained a UDAI in advance, a domain transfer that is subsequently delayed could then fail due to the expiry of that UDAI.
I am also concerned that such a significant change is being slipped in under the radar with only two weeks consultation. I fail to see how the "anyname.nz" proposal affects the integrity of the currently held UDAIs or vice-versa, beyond the usual problem of stale information that was already an accepted (and understood) risk when the model was instigated.