Hello Chris,

> > If you mean that updating the passwords makes it harder to 
> by-pass the
> > authorisation process of the transfer policy then you are 
> correct.  We
> have
> > already detected instances that you have been advised of, where a
> registrant
> > has not authorised a transfer, but where the reseller initiated the
> > transfer.
> 
> No, that is not what I mean. In your post you claimed that MIT was
> altering passwords for security reasons and referred to the 
> need because
> of AUNIC and so on. 

OK.  The security reasons are not just related to AUNIC.

(1) The AUNIC passwords are inherently insecure and changing all passwords
is a good idea

(2) The passwords are often in the hands of more than one party.  The
process ensures that the registrant is in control of who has access to the
passwords for the purposes of domain name operations.  We have had instances
over the past 18 months where registrants have been misled into transferring
control of their domain name to a third party.  Some of the third parties
involved are no longer in operation, but more such such third parties have
emerged.  Melbourne IT procedures provide the best security for the
registrant, and don't discriminate on the basis of the identity of a
terminated reseller.  We encourage registrants to update their passwords
whenever they change providers or have provided their passwords to a third
party unintentionally.  The more people that have access to a password the
weaker it becomes.  Again changing all passwords regularly is a good idea
from a security perspective.

> Whilst I accept that this makes it more difficult for
> resellers to transfer without registrant consent , it also has the
> practical result of slowing down and increasing the cost of legitimate
> transfers. 

It is just as likely to make it faster.  Many registrants did not have
access to their domain name passwords, and we also provide registrants with
their expiry dates.  We are providing them with this information in advance,
and are also contacting via land mail if the email addresses have problems.
All an affected reseller needs to do is ask the registrant to retrieve the
mail sent on 10 Oct 2002.   It saves them one step of asking the registrant
to retrieve the information from Melbourne IT.

We will try to include regular information on passwords and expiry dates to
our customers to ensure that they are well informed.

> 
> The question for auDA to consider ( and the reason why we 
> have asked for
> input) is whether the means justifies the ends. 

Agreed, that is quite appropriate.  Security is a trade-off between
convenience and protection.  The practices in this industry in the past 2
years favour a move towards protection.  This has been done via the new
regulatory regime and codes of conduct.  The difficulty of enforcement is
still an issue.

Melbourne IT will be contributing input to the auDA process, and we
encourage others to do so as well.

Regards,
Bruce Tonkin