Hello Chris,

Thanks for your response.  I would like to note that Melbourne IT has kept
auDA informed of its processes, since they were first initiated in July.

> 
> 1. Yes, we would welcome input.
> 2. Your point about security of passwords is relevant but it is not
> strictly correct to say that the vast majority of passwords 
> were created
> by AUNIC. In reality most of not all passwords were altered to some
> degree when AusRegistry took over.

Thanks for pointing that out.  They were altered with a simple algorithm to
ensure they complied with the new password policy in terms of a minimum
length (and hence ensured that they worked in the software), and the
addition of a letter and number.  The AusRegistry domain name password can
be directly derived from the AUNIC password by a simple transformation, and
thus from a security point of view they are same password.

 > 3. Your point about security would be more meaningful as a reason for
> ALL passwords to be changed - something which auDA would 
> co-ordinate if
> deemed appropriate. 

Melbourne IT would be happy to work with auDA on that initiative, now that
the new systems are more stable.   We have been doing this in cases of
higher risk on a priority basis, but agree with you that it would be useful
if done across the board.  This should also be done in conjunction with a
coordinated campaign to update the contact details for all domains.  We had
originally suggested that this be done 6 monthly, but this was rejected by
others in the industry on the basis of the cost involved.

> It has less effect when what we are 
> actually taking
> about is only altering the passwords of those domain names managed by
> resellers where those resellers move to another registrar. Despite the
> security label, the practical effect of changing the password 
> is to make
> it more difficult for a transfer to take place.
> 

There should be no effect here.  The transfer policy requires the REGISTRANT
not the reseller to authorise a transfer.  The authorisation is a two step
process:
(1) request domain name password from registrant to initiate a transfer
(2) send a confirmation email to the registrant contact email address in
WHOIS
In the process undertaken by Melbourne IT the registrant is provided with
the updated password, and if they are not contactable, they can retrieve the
password directly from Melbourne IT.

If you mean that updating the passwords makes it harder to by-pass the
authorisation process of the transfer policy then you are correct.  We have
already detected instances that you have been advised of, where a registrant
has not authorised a transfer, but where the reseller initiated the
transfer.

Regards,
Bruce Tonkin