Shame on you, Comodo!

[SimonSim]

It just came to my attention that Comodo is trying to steal "Let's Encrypt" brand:
https://letsencrypt.org//2016/06/23/defending-our-brand.html

Do you really need this, Comodo? Stealing brand someone else made up?
    

[sAyer]

"We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications"

It sounds like to me that Comodo is in possession of trademarks applications that gives it use of  “Let’s Encrypt”.

"These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand."

From a legal standpoint (ISRG) should have trademarked this when they started using it publicly in November of 2014. There negligence to have done so is why this debate is happening. Then they want to cry foul because of their failure to follow the simplest of product protections. Registering your trademarks. The one who is in possession of the registered trademark is the owner, and that is the law.

If I'm a small developer and make a product called Windows Perfect PC Repair and have been working on and distributing it for years, and did not bother to trademark the brand name. Then another company comes along and uses the same name for their product but has the common sense to trademark it. Then who owns it? The company with the trademark. It's the law.

This goes as far back as McDonald's brothers and Ray Kroc. The brothers owned the original restaurants but he owned the trademarked name. So that's why he took over the chain and the rest is history.

I always feel slightly bad for the underdog but business is business.

It just came to my attention that Comodo is trying to steal "Let's Encrypt" brand:
https://letsencrypt.org//2016/06/23/defending-our-brand.html

Do you really need this, Comodo? Stealing brand someone else made up?
    

How can Comodo steal what it basically already possess ? If they have filed trademark applications.

I'm sure it will be settled in a court of law but since Comodo has filed the applications the odds are well in their favor.

 

[Melih]

brand someone else made up?
    

How can you prove it was them who made it up?

Isn't this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can't be decided over a forum post or twitter account or trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!

One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day?? That is the question!

What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!

Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!

[JoWa]

When Lets Encrypt copied Comodo's 90 day free ssl business model

How is certificates’ lifetime a business model? The certificates can be renewed at no cost, even automatically.

So why did they choose 90 day?? That is the question!

Why ninety-day lifetimes for certificates? (2015-11-09)

Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.

What they have is nothing new.

ACME is new, and in the process of being standardised.

Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!

ISRG is a bad guy?

[Melih]

How is certificates’ lifetime a business model? The certificates can be renewed at no cost, even automatically.Why ninety-day lifetimes for certificates? (2015-11-09)ACME is new, and in the process of being standardised.ISRG is a bad guy?

thanks for that JoWa,
this is what they say https://letsencrypt.org/2015/11/09/why-90-days.html

"Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime"

so whose certs are these? Of course Comodo's!!! So they are admitting they are copying our innovation of 90 day free ssl certs!

[sAyer]

I should of stayed out of the entire thread, but as a paralegal I have a firm grasp of copyright and fair use law. In these cases the law is clear and will be decided on subject matter and scope of copyright, copyright notice, deposit, and registration. If ISRG has not followed these guidelines then they simply have no legal basis. I hope Comodo prevails, but then again I'm biased.

I guess the only thing they can do is use forum posts and social media to spread rumors and misinformation towards/about Comodo in order to gain sympathy and try to force Comodo's hand.

Either way really none of my business. On my way to see what else is interesting in the forum today. 

[robinalden]

With LE now being an operational business, we were never going to take the these trademark applications any further.  Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.

Josh was wrong when he said we’d “refused to abandon our applications”.  We just hadn’t told LE we would leave them to lapse.

We have now communicated this to LE.

[Melih]

Its important to re-state that certificate lifecycle management of these LE certs deserve a serious scrutiny. Maliciously used certs must be revoked in a timely manner!

http://www.infoworld.com/article/3019926/security/cyber-criminals-abusing-free-lets-encrypt-certificates.html
http://www.theregister.co.uk/2016/01/07/net_scum_getting_lets_encrypt_certs_for_malware/
http://www.csoonline.com/article/3019991/security/malvertising-campaign-used-a-free-certificate-from-lets-encrypt.html

The problem is the ability to revoke in a timely manner. Unfortunately we cannot as CAs know the intent of the applicants at the time of application. That is why it is very important for CAs to react promptly with revocation. ISGR claimed (afaik) that because they are a non-profit and don't have money they might not able to revoke malicious certs reported to them in a timely manner. So that is yet another reason why I am outspoken about this issue. As if DV certs weren't bad enough, ISGR didn't want to own up to managing certs used by malicious actors. That is NOT acceptable. I hope ISGR have changed or will promise to change their ways and they will start revoking these maliciously used certs in a timely manner.

[JoWa]

So they are admitting they are copying our innovation of 90 day free ssl certs!

A lifetime of a certificate is hardly an innovation. With automatic renewal, the lifetime doesn’t matter much to the user, and it may be shorter in the future, which is good. Ninety days is a compromise.

[ubuysa]

Personally I think disputes of this type are better settled in the courts. If I was Melih I'd let the lawyers handle it and keep my powder dry....

[christarzan]

Comodo may feel a bit threatened by "Let's Encrypt"

Also, if Comodo is legally entitled to the "Let's encrypt", they should pursue it

but it may look to people like Comodo is ganging up on the Open Cert.

It is a tricky situation.

But considering the number of Anti-opensource companies backing "Open Cert Let's Encrypt", it doesn't look that bad. These companies like HP, Akamai, CISCO may want to avoid paying fees to their certs rather than want to encrypt the web.

Anyway, in a few years, the cert business may not be that profitable unless Comodo can distinguish itself from open certs. Just some thoughts.

[JoWa]

Personally I think disputes of this type are better settled in the courts.

I think disputes of this type should be avoided. Courts are not the place to deal with competitors.

[Ooka]

Then they want to cry foul because of their failure to follow the simplest of product protections. Registering your trademarks. The one who is in possession of the registered trademark is the owner, and that is the law.[/b]

If I'm a small developer and make a product called Windows Perfect PC Repair and have been working on and distributing it for years, and did not bother to trademark the brand name. Then another company comes along and uses the same name for their product but has the common sense to trademark it. Then who owns it? The company with the trademark. It's the law.

This goes as far back as McDonald's brothers and Ray Kroc. The brothers owned the original restaurants but he owned the trademarked name. So that's why he took over the chain and the rest is history.

I always feel slightly bad for the underdog but business is business.

If this is the best defense you can provide, then Comodo has already lost the PR war here. Sure, you can legally stomp and troll trademarks allover plenty of people with enough lawyerbucks, but people will rightfully hate you, and then not want to do business with you.


This thread is a great example. A CEO is eating his foot by simultaneously blaming his target and pretending to a victim of cyberbullying by a new, free, and open cert authority. Hey, here's an idea, you could have just released the trademarks and played nice, since supposedly you don't need them and don't plan to use them, but instead you decided to be an equivalent patent troll, and your getting the negative press associated with those businesses. Hopefully, you'll learn from this experience. The CEO in particular needs to suck up his ego and better his own products before trying to set us all back.

Since im here, when are you guys going to stop making your security software worse? I had to bail on it last year because every update crippled functionality in favor of iterating out the last 10 years in UI design fashions in the span of a year, who made that brilliant decision?

[Melih]

A lifetime of a certificate is hardly an innovation. With automatic renewal, the lifetime doesn’t matter much to the user, and it may be shorter in the future, which is good. Ninety days is a compromise.

Its unfortunate that you chose to belittle an idea without first understanding the implications and value it brought to people when it was launched.

Lifetime of the cert matters, if you are not revoking a malicious certificate...that means end users are being harmed for the duration of that certificate.

[My1]

One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day?? That is the question!

What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!

sorry but no.
https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php
reading about your "free" SSL cert is is quote on quote: "limited to one issuance per domain", in other words it's nothing more than a trial to get customers to buy your certs.

"Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime"
so whose certs are these? Of course Comodo's!!! So they are admitting they are copying our innovation of 90 day free ssl certs!

sorry but this is absurd, do you have proof for that?
unless your cloudflare certs are running 90 days this number is something that cannot be believed, because the "free" certs, as as I'd rather call them, TRIAL certs or test or demo certs, whatever, can only be used once so you cannot get a high percentage of your trial certs in the statistics in the long run.

somebody could say you have taken the business model of common shareware but tripling the usually 30 days testing period to 90 because it's more practical with webservers.

by the way google also uses 3 months, and they might probably take a much larger chunk of the 39% than you guys because google is everywhere, there's youtube, google analytics etc.

you might have had 90 day certs longer but yours was just a trial, while Google was one of the players who made it popular.

unlike you guys LE is making the certs REALLY free, meaning you can renew them and so on.

I do agree that they should be revoked but then again take a read at this:
many browsers have a SOFTfail for the certificate revocation checks, UNLESS an EV cert is used, meaning if the revocation server cannot be reached , the site will still load, in comparison EV has hard fail, meaning that the site will NOT be loaded and you cannot get around it.
also mobile browsers tend to take this to an even higher extreme not checking revocation of non-EVs in the very first place.

and before you (or anyone) says that you'd rather ave everyone buy an EV cert I have another piece of text.
1) EVs are hard to get, you have a lot of paperwork and may also need to have a source for their registration by a non-gov source as Dun & Bradstreet where they also need to register.
2) EVs are expensive. EVs cost a lot of money. I can understand that there is quire a verification but not everyone needs an EV.
3) EVs arent available for everyone. most importantly, I could throw as much money as I want, as an individual (normal person) I couldnt get an EV no matter how much you would want me to buy one.