One of the major design criteria was to minimise how much private information was gathered, and this extended to licensing.
Selling something always requires a buyer to pass over a lot of personal information. From my point of view though, the less information I had to handle the better. That is why I chose a payment gateway like FastSpring as they handle all the international transactions, but especially the taxes and duties which make selling internationally a nightmare for single-person operations like me. I am a wholesaler to them, and customers buy from them instead.
Compare this to a gateway like PayPal that still requires sellers like me to specify all the tax rates and remit to all the countries myself because I am still the end-seller. FastSpring only costs a little more than double the cost of PayPal for a lot less headache. The only downside to FastSpring is that if they cannot get a license from my server for any reason, they still charge their customer. However, the payment will be in a pending state that will be resolved in a couple of days by not being actioned.
While I have access to the customer information from FastSpring, I don't need to store any of it because it is not needed for maintaining licenses. In fact, the only other piece of information I need is the domain used for the site. This means that whomever knows the license number and controls the site effectively is the owner as far as I am concerned.
This makes verification very simple, as when a site requests an update from the license server, it checks that there is a license corresponding to that domain, and then contacts that domain with a key to use to get the update. This guarantees against spoofing because only that domain can be verified against that license, so only the correct domain can be allowed to update. The site does not store the license number, and it is not needed for updates, though it needs to be entered for things like transfers or unregistering.
Note that so-called domain spoofing is only pretending to be a domain in look or similarity in naming to the spoofed domain, not actually hijacking the real domain per se.
A domain can be registered against multiple licenses in case one gets lost, but if found it can be freed from that domain. The prevented situation is having multiple domains for the one license, which would be silly, except it can be done temporarily to transfer the license to another domain, though the overlap time is only 24 hours. A domain can be unregistered from a license, but the site will have a distinctive ***** NOT REGISTERED ***** at the bottom of each page and cannot be managed except to register the domain against an unused license or delete the site.
This all helps to keep me out of people's personal data while using the minimum data to maintain the license connection to the a domain. It does means that I don't know if a license has been given away, but also that because I don't know of the ongoing possession of the license, I cannot replace a lost license even though I know who purchased it. Exclusive knowledge of the license number is 100% of the possession of it here. The license number is provided in the invoice and the email sent from the seller. Keep it safe and don't show anyone you would not trust with your site.
If the original purchaser successfully gets a refund for the purchase, which is only likely to happen soon after purchase, I will get notified and I will disable the license. That will force the site to show itself as unregistered, whereupon it can be deleted or another license used to register the domain against. If the license was given away or sold as part of their provided services by a reseller, the owner of the affected site must direct all enquiries – and anger – to the reseller as they are totally responsible for any action regarding the refund of the purchase.
The license database is an SQLite3 file, making it compact and self-contained. If enough licenses are sold, like over a million, I will cutover to a server with a more robust database. During that cutover, I will halt sales to minimise disrupting installations. Current sites will still operate as fully registered during that time as a failure to contact the license server is treated as a successful check of the domain status, though no updates can occur.