Let's boycott
Comodo.
The group behind the Let's Encrypt certificate authority (CA) says that its name could be in doubt thanks to rival CA Comodo Group. The Internet Security Research Group (ISRG) says that it is currently locked in a conflict with Comodo, who it claims is trying to trademark the "Let's Encrypt" name despite its previous filings …
I love the fact that when refuting a refutation to his "How do we know they used it first, they didn't file any paperwork, and besides, they copied us first" rant, the CEO points to ISRG's website at .. wait for it... letsencrypt.org
I think having the URL pretty much shows that they used it first.
Sorry, I think I missed something crucial in that post. Just how long does the Comodo free SSL certificate last?
Sheesh, that guy sounds more like a petulant child than a CEO.
And anyway, isn't 90 days somewhat ingrained in the US consumer psyche? It's the standard warranty period so a fairly obvious number to pick.
Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical.
M. Abdulhayaoğlu Melih ("dedicated to innovation"), (founder of Comodo, which of course is praiseworthy in any case) unfortunately sounds like a kid of Generation Entitled here.
But further down "robinalden" (Comodo Staff) has this to say:
With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse. Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse. We have now communicated this to LE.
So all is hunky dory?
I would have expected a Certification Authority to behave ethically as part of its business model.
For the CEO to claim that they were just operating within the law and that this is the cut-and-thrust of business shows that they have confused the two concepts of law and ethics. What they are doing may well be legal (I am not a lawyer, etc) but stealing a name from a non-profit is in absolutely no way ethical.
The list of trusted root authorities in our browsers represent the companies that we trust to a very high standard to make our decisions on the authenticity and legitimacy of domains on the Internet. I expect them to do this both within the bounds of law and with a very high degree of ethics.
A legitimate approach to this would be to remove Comodo from everyone's list of trusted certificate authorities since they clearly are not living up to the high standards demanded of them.
They would then go out business because internet sites could no longer choose to use their now untrusted certificates.
This is business comodo. Sorry to see you go. Don't slam the door.
That would take a few "subtrees" dependent on Comodo CA with it.
Sorry ""no bullshit", Gandi.net, borderline trustworthy anyway.
> Sorry ""no bullshit"
I must say I very much disagree with the tone and content of your dismissive comment against Gandi. I have used them for well over ten years, since they were a tiny, unknown company in Paris, and they have always been superb. From acquaintances' experience, even when they fuck up they are quick to admit it and make amends.
The case that you link to was some bloke¹ who decided it was a great idea to ride on the back of Google's name while providing fake WHOIS details. Reliable providers have to (and do) have strict policies against this, in order to avoid or at least minimise the incidence of fraud and other dishonest practices. In that case, Gandi reacted impeccably and with great professionalism. Apart from being French, I cannot find fault with them.
I cannot speak as to their arrangements with Comodo, or as to Comodo's intentions behind this, but I do feel they provide excellent service.
¹ Btw, said bloke calls himself a "security researcher" but in reality is just an amateur who seems to make it his occupation to approach some of the media with click-bait worthy (but save on one occasion a long time ago, wrong or irrelevant) stuff. At the same time, he is an incompetent developer who leaves "gaping security holes" in his so-called security applications and seems not to be at all averse to spying on his own users. To put it mildly, the guy hasn't got the faintest about security.
You are aware that the chinese, russia and us government are on that trusted list as well, right? And the likes of symantec who openly use their trusted ca to man-in-the-middle.. If you still trust the default ca lists in browsers, you must be very very naive indeed (maybe i missed the sarcasm in your comment?).
https://www.youtube.com/watch?v=Z7Wl2FW2TcA
watch especially 05:19 to 06:52, then 07:45 to 11:30
heck watch the whole thing; Moxie is a very clear, articulate, speaker with a great sense of humour *and* knows his shit
> knows his shit
Real researchers publish proper papers in academic venues reputable and well-known in the industry. This guy just goes and plays the media / shows his face at meetups, but he's just an amateur with not very clear motives, as mentioned earlier. He seems to connect with certain audiences, but please do not mistake a media pundit with a real security professional.
What planet do you live in?
"media pundit"? "[not a] real security professional"?
Moxie (and Trevor Perrin)'s Signal protocol is pretty much the only one that has been *proven* to be secure (at the protocol level at least). And that is the most recent one I can remember; I think even the cert pinning RFC was from them but I am not sure. Regardless, he *does* know his shit, and some anonymous coward saying it ain't so ain't gonna make it not be true.
This thread <https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/shame-on-you-comodo-t115958.3.html> contains the most hilarious statement ever by a CEO, see comment #3. A staffer later posts that Comodo will file to abandon the trademark registration:
"@robinalden Reply #28 on: Yesterday at 03:41:45 PM:
"Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse.
"Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us and we'd like to thank the Let's Encrypt team for helping to bring it to a to a resolution."