The points made by ISRG seem well-taken and, if there is a formal fight over this, it should prevail given the facts as it recites them.
There is a general lesson here for startups as well.
If you have an important mark, do consider doing an intent-to-use (ITU) application earlier rather than later to prevent poaching of the mark by others.
If you haven't actually used the mark in commerce (e.g., if you are in pure development phase), anybody can go out and file an ITU application for your mark and thereby effectively poach it - even if the person doing it is just trying to extort you (of course, they won't say this is their motive). During this phase, you are vulnerable to such poaching risks. For the vast majority of startups, it probably doesn't matter because no one cares about the typical mark or marks they plan to use when there is nothing yet noteworthy about them. But it can and does happen. Autocad got poached in this fashion when it first started. I had a client that had the domain name gmail.net, planning to use if for "graphics mail" back in the day and they could have blocked Google had they filed a "Gmail" ITU application (they didn't). Particularly if your mark is distinctive and fanciful, and tied to a credible venture, you should not be lax on this issue. At least give it some careful thought even if your decision is to take the poaching risk to avoid what you see as unnecessary up-front costs on legal items. Remember: an ITU application gives priority over someone who has not yet used a mark and it gives it to anyone and his uncle who happens to file it even if they have done nothing yet in your field.
Once you begin to use a mark in interstate commerce, then you get common law protections by which the person who is first to use a mark in a given geographical area automatically gets priority to the mark with that area. This happened with an outfit called Amazon Books in the Minneapolis area at the time Amazon.com launched and they eventually got a settlement payout from Amazon for infringement of their common law trademark rights in that area by the bigger organization. Thus, if you are indeed using a mark in this way, and someone comes along and tries to register a mark (whether ITU or otherwise), you keep your priority over the late arrival and can sometimes even block them from getting the registration (or have it set aside through a formal legal fight). But this is a path with many potential pitfalls. Unless your actual use was open, prominent, and notorious, you may have proof issues to establish it or to establish its extent. Even if you can prove first use and broad extent, you still may have to fight the latecomer and incur large legal expenses in the process. Moreover, if you have not registered your mark, you do not get a "presumption of validity" for it and this leaves it more vulnerable to a legal argument that the mark is not protectible at all (meaning that many people can use it without infringing on others' rights). Or it can be argued that it is at most entitled to weak protection so that a use by another is a slightly unrelated field will not cause customer confusion and hence not infringe even if the mark is protectible. And so on and so on. The situation is just not clean in this scenario or at least can more readily be gummed up by a determined adversary who has "lawyered up."
As someone who has worked for years with early-stage startups, I would be the last to say "go out right away and spend away on legal things" to cover a bunch of theoretical risks. This poaching risk, for most startups, remains primarily theoretical and should not cause you to have to run out and spend a bunch of money on trademark filings before you know if you even have a viable venture. But, for the right cases (good mark, credible venture), it usually pays to be attentive to this issue up front and eliminate the risk through some proactive action.
ISRG is non-profit and its use of this mark was open and widespread. So I can see why they did not go out and incur trademark filing costs to protect a mark that I assume they believed no one could in good faith possibly challenge. This was probably the right judgment to make for their situation. Yet, in hindsight, we can see that the failure to do their own filing has left them vulnerable - not to poaching (as I said, they likely will win) but to having to go through an otherwise unnecessary legal fight to defend what is legitimately theirs.
It is unfortunate and I hope people will give support as needed. In all too many cases, underfunded people or organizations who are in the right do wind up getting overwhelmed by people who simply have more resources and who are determined to make life difficult. Even with a likely winning legal position, someone in this position can wind up having to do some compromise (such as a trademark co-existence agreement) giving the other party significant rights just to resolve the fight. Better to avoid that pressure here if it means enough to the relevant community.
There's a second lesson for start-ups - if you can't buy or develop goodwill with your customers, just steal it from someone else.
My experience(s) with Comodo have been well short of awe-inspiring and their reputation certainly isn't great - to me, this is just another mark against them.
Indeed. I recently had my first two experiences acquiring and installing certificates, the first from Comodo and the second from Let's Encrypt. Comodo took two weeks of repeated attempts over multiple validation methods to get the damn thing issued. Let's Encrypt took less than a minute, even on a platform that doesn't officially support it.
It seems Comodo is obviously lashing out because the only value their service provides is the (ultimately artificial) trust in their CA. And now there's a new player on the scene that not only is free, but provides more value in terms of ease of use and just as much trust.
> believed no one could in good faith possibly challenge
They were correct to believe that no one could in good faith do what Comodo are doing.
There is no way that Comodo are acting in good faith and any claim otherwise is either an outright lie or (if anyone claiming good faith genuinely believes that to be true) complete stupidity. Or both.
Let's Encrypt is part of the Internet Security Research Group, which is an IRS 501(c)(3) public benefit corporation. Contributions are tax deductible in the US.
The anger, the convenience of your link, and the fact I had some cash sitting with Paypal made it easy for me to donate to holding as well. I think there's a lesson in there.
Let's Encrypt is a noble good-for-everyone effort so it depressing that there those out there that will do it harm.
I donated, not because they provide an awesome service for free... but because they stand to break up something that's really nasty in the crux of our internet.
We're making it possible for everyone to experience a secure and privacy-respecting Web.
We make it easy to get certificates for HTTPS, because ease of use is critical for adoption.
We provide certificates free of charge, because cost excludes people.
Our certificates are available in every country in the world, because the secure Web is for everyone.
We strive to be open and transparent, because these values are essential for trust.[1]
When I read that on Let's Encrypt's website, compared to the immature drivel the Comodo CEO wrote, it is obvious who the "good guys" are here.
Moxie had an amusing anecdote about this incident in his Blackhat 2011 talk "SSL and the future of authenticity"[0]. Apparently the same IP as was used by the "sophisticated attacker" and disclosed by Comodo downloaded sslsniff[1] from moxies server the next day, referred by a video tutorial about intercepting SSL..
If they're not trustworthy, let's remove them from the trusted CA lists of major FOSS browsers / distros. Anyone know the proper mailing list / bugtracker this should be filed on in the case of Firefox?
Followup idea: a trusted neutral 3rd party that ranks CAs by various factors, such as controversiality. Quotes Wikipedia and other (arguably) objective sources [of fact] and welcomes debate about potential bias.
Perhaps this group could publish reports periodically so that they can then be picked up and bundled into browsers - that way you're not constantly sending [trackable] cert requests to a 3rd party, and you already have the cert info so there's no query server to DDoS.
Maybe Firefox could incorporate it into the TLS info popup and possibly the HTTPS icon... Chrome never would; this idea goes way too close to the advertising industry.
An extension would be nice, but something like this would never go viral so would never get adoption. Native browser integration would be a must.
Also, mozilla.org's cert is by DigiCert. What's their track record?
Just how many use Comodo, and why isn't there some sort of movement pushing against Comodo? Hopefully if they lose business or start to they will think twice and attempt to restructure everything.
CloudFlare uses them for Universal SSL, so that's roughly 5% of all websites[1]. Their overall market share (in the CA business) appears to be around 40%[2].
Oh, CloudFlare uses them. That's quite a market share. It is sad that they have such a bad reputation... Hopefully someone buys them out who restructures them or something....
I agree. I have an existing cert from Comodo for my personal site, as they were cheap and easy to get when I was looking for one. I will look for another provider when it's time to renew.
Let's Encrypt doesn't offer EV certs. Which is reasonable; EV certs can't be automated (and they're a dumb idea anyway), but they're still necessary for some of my sites.
No entirely, but mostly: seeing as this is my job, I should have some idea. Currently writing a post about how we've used some psych techniques to automate the non-automatable parts which I'll post on HN.
> (and they're a dumb idea anyway)
EV matches identity to public keys. Nothing more, nothing less.
If you need EV, we (https://certsimple.com) specialise in making those background checks far less painless with a bunch of unique tech. This means you get your certificate faster and with a lot less effort on your behalf (and a lot more on ours) during the verification process: https://certsimple.com/about
If a DV cert is fine, go with Let's Encrypt (Hi Richard!), dnsimple (Hi Anthony!) or CloudFlare (Hi John and Filippo!) or Heroku.
Anecdotally: I fully recommend CertSimple. We used them for an EV cert we needed and not only was it simple to set up the request, but the processing was quick, too!
Quick plug for a company I've used: SSLmate (http://sslmate.com) makes cert purchase (for those whom need this) painless and fast. They use Comodo and Geotrust FWIW. I've had my own pain with Comodo through other resellers, and moved on to sslmate and godaddy. Recently moved my home blog (http://scalability.org) to LE. Work (http://scalableinformatics.com) is using godaddy for now, though thinking hard on using sslmate going forward for it (because ... godaddy).
I can't find pricing on your website. There's a page called 'pricing' that says I can find pricing on the home page. When I click the link, I find a lot of marketing text, but no pricing.
(Not to sound like an advertisement, but) I got an email from StartCom the other day, saying that they're moving their StartSSL service to work on a similar policy to Let's Encrypt (which I hope means they're just running an ACME server)—but with the proviso that, since they do have the background-checking infrastructure required for EV "trust verification", they've combined the two.
If I recall, StartSSL sort of hoists their EV identity-verification out into its own step before you actually apply for certs. The identity-verification process costs money (and it can't not; it involves paying real people to do background checks), but any EV certs issued to a verified identity are free.
I think what this will mean is that, if you do an ACME request to StartSSL using an identity they've verified—and for a domain associated with that identity—then the cert in the response will automatically be an EV cert.
This is pretty huge, in that usually EV certs cost a large amount per issuance—whereas a pre-verified ACME-issued cert effectively has zero marginal cost to reissue. Previously, EV certs were usually used only for apex domains, with a secondary DV cert collecting the internal SANs together—because the DV cert had a low (now zero) reissuance cost, while the EV cert cost the full amount each time to get reissued. Now you can just use your EV cert for everything, and alter it as suits you: much simpler.
I hope other CAs adopt the same approach; it's a very good idea. (Pie-in-the-sky thought: maybe one day we'll have the equivalent of the semi-automated KYC service providers that have phone apps to scan drivers' licenses, but for corporations. Then issuing EV certs will just mean an API call.)
Unfortunately, it doesn't look like they have plans to use ACME. They do have a public API (StartAPI) for issuance, which is better than nothing, but they definitely missed an opportunity with ACME, IMO. Mainly, being the first CA with OV/EV support that would also benefit from the existing ACME ecosystem (i.e. server auto-configuration).
StartEncrypt, the equivalent of an ACME client for their API, appears to be a closed-source binary blob with no documentation whatsoever (based on what's visible on their product landing page and what's inside the downloaded files).
...oh but they do. If you're in education and are an InCommon member, you get unlimited EV certs. It's pretty nice as you can add read certs to literally every server in your system and not have to abuse a *. cert. Hell you can even add real certs to every AD machine; no more creating your own CA and installing it via a group policy.
That was back in 2012 when I worked for a University. Good luck getting those certs though. Their web service was so broken and if you ever asked for a 2nd cert it'd revoke the first one (which is great if you use them for e-mail encryption because now you can't read any of your old e-mails :-P .. that was more of an Outlook/GAL issue though).
I really hate that InCommon was using Comodo considering all the shit they've done (like issue Google and Facebook certs to the Iranian government).
Not entirely, but Let's Encrypt could partially automate the verification process (e.g. looking up business entities and contacting their registered agent with an authorization code), and then fully automate obtaining a certificate with those verified credentials.
Lets encrypt certs are only valid for 3 months. In many situations the auto-renewal stuff is inconvenient. Then its easier to just buy a commercial cert that's valid for a few years.
I always use acme-tiny [0] to set up LE certs. You can follow their README to set up everything, including automatic reneweal cronjob in a couple minutes.
That's not so bad if you have to do it once a year or better yet once every two years, but I'm not doing that every 3 months.
There's an issue open to allow for the process to be automated, hopefully by the next time I need to renew it'll be available. But as it stands today I went with a paid certificate.
I know this doesn't help you, but the best fix for this would be for App Engine to implement letsencrypt support directly, so they can automatically provision and renew certificates for anyone that uses app engine
The Comodo cert was for 5 years at a total of $25 IIRC. I didn't consider that bad at all, especially as that was add-and-forget.
Of course that's still like a money printing machine, and wildcards and greenbars are much more. But the deal was pretty fine for my personal domain. To be frank, I would probably have renewed with them.
The whole idea is to motivate you to automate the process as far as possible. This is basically a good idea. It's a faff for us at present 'cos we don't have direct access to our load balancers at this moment (just switched hosting), but we're working on that.
I've avoided the big issuers for a while now. Big plug for Digicert who are excellent - they're independent (so not conflicted), have great infrastructure (fastest on OSCP), super support and active in pushing standards such as CT, short-lived certs, and adopting .onion support after internal names were deprecated.
I use LetsEncrypt in most cases (and have companies I work with donate a portion of what they used to spend) and then DigiCert for EV SAN.
They already refused to back down, even after requests from Let's Encrypt lawyers. Backpedalling now in response to the PR crisis would not be enough, in my opinion. I'd only consider them again if they were to make a decent donation to Let's Encrypt.
It's troubling that an ostensibly security-oriented company would seek to muddy the waters like this and reduce the reliability and integrity of the marketplace.
I am on LetsEncrypt's side to defend their branding. However, Comodo's intent is understandably clear: you take away my business by giving away free certs I screw you in your branding. (not that I agree with this tactic.)
It's a bit like a buggy whip manufacturer registering a trademark on the word 'ford' at the introduction of the model T. Understandable, but not permissible.
Just curious, but do you think companies you consult care enough to switch? It's usually easier to just renew, and I wonder if consultants have the leverage to get customers to care.
It'd be easy to make a case that Comodo is no longer trustworthy, pointing to several of their past actions, and recommending a switch to a safer provider. If the consultant does the work to make the switch happen, and the cost doesn't increase, I doubt the customer would object.
They couldn't care if I mentioned it and I don't plan to. Renewals often involve just as much work as installing a new cert. This is more about personal recommendations, after I recommend its normally accepted without question.
Is it easier? How automated can you make renewal with Comodo? Even big companies goof and have a few hours of downtime where their cert expired. With Let's Encrypt, you make it not a human's error anymore.
We buy EV certs for those sites where the business unit and/or marketing demands it, but otherwise we just use Let's Encrypt. (Small publisher with some paid info sites.)
Yeah, the only reason to use them was that they were cheap and now AlphaSSL's resellers are cheaper anyways, $40 wildcards are hard to argue with. Heck, I paid $100 for 3 years on renewal.
go with rapidssl - because we use docker and bake our certificates into our vms, we find it hard to use letsencrypt. but we have been very happy with rapidssl (even using it on our apis that serve legacy android devices)
I'm pretty sure the lawyer would have known about letsencrypt.org and their Let's Encrypt project before filing this.
So that being said, reading the fine print of what the lawyer had to sign in order to submit the application, shouldn't the lawyer be vulnerable to perjury charges?
The signatory believes that: if the applicant is filing the application under 15 U.S.C. § 1051(a), the applicant is the owner of the trademark/service mark sought to be registered; the applicant is using the mark in commerce on or in connection with the goods/services in the application; the specimen(s) shows the mark as used on or in connection with the goods/services in the application; and/or if the applicant filed an application under 15 U.S.C. § 1051(b), § 1126(d), and/or § 1126(e), the applicant is entitled to use the mark in commerce; the applicant has a bona fide intention, and is entitled, to use the mark in commerce on or in connection with the goods/services in the application. The signatory believes that to the best of the signatory's knowledge and belief, no other persons, except, if applicable, concurrent users, have the right to use the mark in commerce, either in the identical form or in such near resemblance as to be likely, when used on or in connection with the goods/services of such other persons, to cause confusion or mistake, or to deceive. The signatory being warned that willful false statements and the like are punishable by fine or imprisonment, or both, under 18 U.S.C. § 1001, and that such willful false statements and the like may jeopardize the validity of the application or any registration resulting therefrom, declares that all statements made of his/her own knowledge are true and all statements made on information and belief are believed to be true.
I'm also puzzled that Let's Encrypt's Trademark policy [1] strongly suggests that 'Let's Encrypt' is a trademark (word mark?) that they have registered, and yet according to the most recent letter sent by the USPTO [2] "The Office records have been searched and there are no similar registered or pending marks that would bar registration [...]"
You don't have to register trademarks, even though it's a good idea to do so, if only for the sake of clarity. Trademarks can be established through market use (common law usage), which is what Let's Encrypt's claim is based on.
I don't see anything in their trademark policy that implies they have registered any of their marks yet. In fact, all the marks in the "included, but not limited to" list use ™ instead of ®, the later which can only be used with registered trademarks. Searching the USPTO database[1] for "let's encrypt" only reveals Comodo's 1B registrations.
All that being said, under US law you still have trademark rights even before you register the mark, and ISRG definitely has first use on the Let's Encrypt mark.
This seems like a good example of why you should go through the registration though. Because now they are going to have to use the courts to resolve the situation; presumably (I hope?), if they'd registered, a new registration application for the exact same mark would not even be accepted.
There's a challenge period during trademark registration when they can voice their objections. They may be able block it if they're not too late.
> You may challenge an application for trademark registration at the USPTO by filing an opposition with the TTAB within 30 days after it is published in the Official Gazette.
Ah, ok. I hadn't realised there was a difference between registering a trademark and just publicly claiming it as your own. That helps to clear up what the situation is here.
You would have to prove the lawyer knew. It sounds difficult to prove short of an email exchange and I have no idea how the courts work but hopefully you can't get access to a company's emails just by filing a suit based on "I'm pretty sure"
You might argue "due diligence", that as Lets Encrypt appear on a simply internet search the lawyer's claimed ignorance [if they do claim ignorance] shows a wilful act to hide from knowing that it was already an established trademark. There is no way - on balance of probabilities - that any company enlists a trademark lawyer to register a mark without that lawyer first doing an internet search (eg for associations with nefarious businesses [or one's powerful enough to sue you], or negative associations with crime, etc.).
Google could probably provide the information about such a search being made from the lawyer's offices!
I've received legal advice to take care not to discover patents. Because if we knew of the existence of a patent then it could be shown that we were knowingly infringing on the patent.
I wonder if trademark law has similar incentives to behave irrationally.
First, the Court’s references to “willful misconduct” do
not mean that a court may award enhanced damages
simply because the evidence shows that the infringer
knew about the patent and nothing more.
Second, also note:
“failure of an infringer to obtain the
advice of counsel . . . may not be used to prove that the
accused infringer wilfully infringed.”
If not perjury, then negligence. I ran into Let's Encrypt without looking for it. It kept popping up in the tech news section over the past year.
Maybe lawyers don't peruse the tech news, not even tech lawyers. Well, the lawyer's client most likely does. And really, the lawyer is just filing the request on the client's behalf.
Besides it doesn't matter. A simple web search would have turned up Let's Encrypt. Not doing a simple web search before filing a trademark request is negligence.
shouldn't the lawyer be vulnerable to perjury charges?
18 U.S.C. § 1001 isn't perjury, it's false statements, the same charge as lying to the FBI (Scooter Libby, Rod Blagojevich, Bernie Madoff, etc.). It can still result in prison, though!
This is disappointing, but not surprising given that Lets Encrypt threatens a large and out-dated revenue stream for Comodo. Thankfully Lets Encrypt is backed by Mozilla and the EFF, they have the resources to defend the brand.
Couldn't this sort of behavior be against the Mozilla CA Inclusion Policy and thus grounds for no longer bundling Comodo CA certs?
The same could possibly be said for Chromium's Root Certificate Policy. It doesn't break the specific trusted tasks but I would say it counts as generally operating in a non-trustworthy way.
> Isn't this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can't be decided over a forum post or twitter account or trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!
> One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day????? That is the question!
> What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!
> Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!
That reads like a high school breakup text. Let's encrypt is always free. Just needs to be renewed right? What's with the 90day free invention he's talking about?
I think he's trying to argue that Comodo's radical business idea of "you can get a free certificate for 90 days before having to buy it" has been literally stolen by Let's Encrypt's "You can renew your free certificate every 90 days forever."
Because both approaches are critically centered around the number 90, or something..
It's embarrassing. I hope that CEO is good at other things.
He's conveniently leaving out that once your 90-day Comodo cert expires, you can't ever get another one for that domain. It's essentially a free trial for their paid certs. Let's Encrypt certs can be (and are intended to be) renewed indefinitely.
It looks like they have nothing left to lose. Acting in bad faith so openly lowers them to the levels of patent-trolls. I can't think of any company which respects its public image doing any new business with them after this news.
> Acting in bad faith so openly lowers them to the levels of patent-trolls.
You seem to imply there was a time in recent memory where comodo itself was at a level above patent trolls. At a high level, patent trolling is associated with rent collection behaviour and using coercion to profit. I see this as comodo's core business, so I guess I am just quibbling about timeframe.
If 'protect revenue loss' is an oblique way of justifying outright theft, then sure.
These snakes are aggressive as hell. They monitor domain registrations and email-bomb anyone in DNS records. Their spam gets through filters and they'll call you up to sell you certs. Fuck them.
I would love to see Mozilla (a big backer of Let's Encrypt) drop the Comodo root certs from their alpha and beta Firefox builds for a couple of days to show them how ugly things get when both sides play nasty.
By "defense" I mean their PR spin, of course. I doubt they'll actually come right out and say "Let's Encrypt is a threat to our revenue and we're attempting to trademark the name under-the-radar so that we can sue them out of existence."
CloudFlare uses Comodo certificates–millions of them, I imagine–and that probably makes them a commercially significant Comodo customer. As a CloudFlare customer with a Comodo-issued certificate, I hope they’ll try to convince Comodo of the value of doing the right thing.
Comodo is just cross-signing CF certs[1] because the CF Origin CA is not yet in browser trust stores. GlobalSign and Digicert also cross-sign CF certs.
CloudFlare's Origin CA was created exclusively for communication between CloudFlare and backend servers. I haven't seen any kind of announcement mentioning that CloudFlare has plans to operate a public CA and apply to root programs.
Ah, the death throes of a big company that suddenly had its business model invalidated.
Well, not entirely; there are market niches that Let's Encrypt doesn't cover: org-validated and extended validation certs, wildcard certs, anyone who needs a cert that expires in years, ECDSA certs (for the time being)...
But theres no doubt that their revenue will be significantly cut, they'll lose shareholder value and need layoffs.
Their industry did it to themselves; a TLS cert company should have 5 engineers, 5 customer support people, and 2 managers, and should charge about 10% of what they do.
I agree. There is a difference between using "encrypt" in the title of a product thats core functionality is encryption and the main name of their company; "start". If they modeled most of the marketing and branding on Let's Encrypt, it wouldn't be great but I could understand it.
Blatantly registering another companies name as your trademark, within the industry and for the direct product you are competing against is piss poor intimidation. What possible legitimate motive could they have to do this? none. In the best case, it is for the eponymous "defense" package, at worst it is for intimidation.
It sounds similar enough to me "Let's Encrypt" that it could confuse people. The trademark system is supposed to prevent confusion, which seems to me like what "Start Encrypt" could do. Thus, that also seems to me like a trademark problem.
I tend to disagree (on the latter point). Encrypt is a generic word here. I don't think it's appropriate (nor consistent with the law) to grant broad trademark protection for generic terms.
To me, it's closer to "Joe's Pizza," "Anna's Pizza", and "Arlington Pizza" all selling, well pizza. Could someone confuse Arlington Pizza and Anna's Pizza? Sure, especially if Anna's Pizza is in Arlington and the owner of Arlington Pizza is named Anna. Nevertheless, you can't trademark "<Adjective> Pizza"
"Encrypt" on its own is generic but the "<Imperative-Verb> Encrypt" form of it doesn't sound generic enough to me. Trademarks don't have to be original to be trademarkable, just not cause confusion. I can see people getting confused by "start encrypt" vs "let's encrypt". There could be a case for trademark confusion there.
> Nevertheless, you can't trademark "<Adjective> Pizza"
Yep, you totally can. Again, because originality has got
nothing to do with trademarks:
Absolutely correct that you can trademark those phrases. I thought one thing and typed completely another. My mistake.
What I meant is that you can't use your trademark on "<Adjective> Pizza" to exclude anyone else from registering "<Different Adjective> Pizza" and competing with you [edit: under that mark].
Depends on the adjective. If "Hot Pizza" is granted (it seems to just be an application), which I doubt because that does sound really generic, then probably nobody will be granted "Warm Pizza" or "Sizzling Pizza" because that sounds similar enough to cause confusion.
Likelihood of confusion is the acid test for trademark infringement:
Also, preventing others from competing with you is completely irrelevant to trademarks. That's more something like what patents do. As far as trademarks go, you can compete all you want, just make sure you don't portray yourself as having the same name as your competitor.
You may be right (I'm not well-versed in the trademark system), but at least we can agree that this is a more complicated matter than what Comodo is doing. I mean, there is no plausibility in Comodo's case - just plain evil.
I didn't believe when I received their email about it and bashing Let's Encrypt initiative. If StartSSL could do it, why they haven't done it years ago? Bunch of scumbags.
They always provided free "personal" certifcates with a validity of one year. But they market the "Start Encrypt" thing like you now get wildcard and EV certificates for free (which isn't true). Talking about scummy practices...
Never I'm pretty sure - we run a ticket reselling website thru an exchange and tried to use the service to get developer certs for our testing site.
The web site had a black banner with white text on the top that stated in high contrast that it was the developer site and no actual transactions would run and tickets could not be purchased if a transaction was attempted here. (even was using a test domain while clearly the live site's domain was in the header)
They still required us to purchase some package to use the certificates on that site. When LE came up we were more then thrilled that we didn't have to fork out extra cash for developing on sites that don't get traffic at all and clearly stated this fact.
I will never go back to StartCom considering how they treated us that day.
It seems more like to that the approval process is strictly to whomever is approving requests at the time because I've also seen several friends get certificates for e-commerce sites that were clearly labeled as the production server and have yet to be revoked after several years of running and becoming successful.
I don't know how StartCom run's the actual process and I could have just been caught on a bad person that day but honestly when you have one bad experience humans tend to avoid going through that again since we are programmed since birth to do this. Of course Let's Encrypt has been more then what we expected and will continue to use them until such time we are required to stop using them!
Go Let's Encrypt - You got this companies support and I'm sure that of many others so don't ever stop fighting!
> I don't know how StartCom run's the actual process
Badly. We've used their service for five years in clear and constant violation of their ToS, and apart from demanding a one-time hush payment they didn't even pretend care.
Fairly standard scummy marketing though. Once you have the appropriate auth level to generate certificates of the type you desire (a one-off process, or at leas once-per-two-years) every certificate you have signed is free.
"StartEncrypt" is rather similar to the (trademarked) Let's Encrypt.
StartSSL even changed their CI colours from "green, with red highlights" to "exactly the same shade of blue Let's Encrypt has, with green highlights", I mean come on.
The entire CA model is fundamentally broken: I rely on an entity I have no relationship to vouch for entities it has a relationship with. That makes no sense. The way it should work is that I rely on an entity I do have a relationship with to vouch for entities.
Could be public, could be private (I'd prefer private, since that would make resiliency, competition & experimentation more likely).
Technically, you have a relationship: you have their certificate in your computer for your browser to validate against. You can remove it and/or add others.
The problem is that a single entity can vouch for each site, so if you don't want to trust it, you can't validate the site at all. Moxie's Convergence[¹] proposal - like Carnegie Mellon's Perspectives Project before - avoids this problem by allowing many entities to vouch for the same site.
See also "Chromodo", the Chrome fork by Comodo that introduces such incredible security features as turning off the same-origin policy, completely breaking the Internet security model.
While its fair to say that some CA's are not scum, so many of them have done shady things, and they are basically rent seekers for a product that they spend little on to verify things like identity etc.
Most certs are just money printing machines for the orgs in charge of them and I am not surprised they would want to fight back against LE.
Indeed. Their PCI-DSS compliance scanning service is completely useless. Service version fingerprinting only, regardless of binary patch level or actual vulns.
Yet somehow, the PCI SSC accepts their scan results as actionable for Level 1-3 compliance.
> Tarring all CAs with that brush strikes me as unduly harsh.
While I'm sure there are CAs who aren't as egregiously bad as Comodo, it's hard to get around the fact that they basically shouldn't exist as a class, and any CA that isn't working to put itself out of business is sort of hurting the Internet ecosystem.
Well, there you have it Comodo. Issued new certificates for my humble domains even thought they're not yet expired. And there you have it Let's Encrypt, I've donated https://letsencrypt.org/donate/
Out of curiosity: Why didn't Letsencrypt applied for a trademark right at the start?
That this happens was quite foreseeable and occurs quite often if people forget to secure trademarks (I know this won't be a popular opinion because most as I like Letsencrypt and their outstanding service)
It costs $375 (plus lawyers fees, usually) and I suspect that they just didn't think it was necessary. Lots of organizations haven't and don't bother registering, unless they expect a problem. Lots of volunteer-run software projects have better things to spend money on and just never get around to registering their name as a trademark until someone else tries to steal it out from under them.
When you're a very public open-source project whose brand is so central to success, registration is the better thing to spend their money on. Let's Encrypt did not show good judgment on this one.
EDIT: For example, they probably spent a employee/retained-attorney time worth more than $375 just to put together their Trademark Policy page. [1]
It's a fair question, though you don't actually need to register your trademark to "own" it, it just provides some advantages and of course reduces the danger that someone will do what Comodo did.
If Comodo would have actively used "Letsencrypt" as a brand paired with Comodo's registration this case would be crystal clear: Letsencrypt wouldn't own anything.
With the situation now, it's debatable but saying that a trademark 'just provides some advantages' is a bit of an understatement.
That's a bit oversimplified. If LE had used the mark first, and had taken the measure of asking Comodo to stop using it, that would show them protecting their trademark, which would give them a case. The PTO is quite clear that registration is not required for a trademark to be enforceable.
It is very disheartening that Comodo, a seller of SSL certs, is attempting to steal some of the attention of Let's Encrypt has put into making a more secure internet. Instead of trying to weasel their way in front of Let's Encrypt a better strategy, in my personal opinion, would be to offer services on top of SSL. (Installing and managing SSL certs is still something a lay person cannot do.)
FWIW, at $DAYJOB we've been actively getting rid of our Comodo certs and replacing them with Let's Encrypt certs, because the Comodo certs don't work with certain older Android versions that we have to support - but Let's Encrypt's all just work.
If others are doing the same, this would be motivation for Comodo.
> One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day? That is the question!
I'm not sure if he's delusional, or if he honestly thinks this is a "business model". Following that logic, all CAs are copying each other's business model when they offer one-year certificates. I don't have words for this.
Isn't this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can't be decided over a forum post or twitter account or trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!
One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day????? That is the question!
What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!
Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!"
Hm? This seems to be the perfect use of this "intellectual property"[1]. Comodo is trying to deceive people, Let's Encrypt is trying to prevent it by enforcing their trademarks. This is how it's supposed to work.
--
[1] I don't like the term "intellectual property" mostly because people forget or misunderstand what it refers to and how the many various things called "intellectual property" work individually and differently from each other.
DigiCert. After a year with Symantec (can't recommend) it was a joy to get one from DigiCert. Good site, good tools, reasonable prices, 3 yr option, painless validation process (I'm in a small EU country, which tends to complicate things on occasion). Can't recommend enough.
Maybe also one of the stupidest. Comodo are really raising up LetsEncrypt in the eyes of the community, as well as sullying their own brand, by being such dicks, and being so obviously in the wrong.
And when they lose, as it sounds they will, they'll leave the LetsEncrypt brand all the more valuable than before.
US trademarks are easy to register.[1] The whole process is online and starts at $225. I hold several. You don't need a lawyer unless you're in some crowded area ("AAAAA Plumbing" would be a crowded area) or confusingly similar to an existing trademark.
There's no reason for a startup to not register a trademark.
I'm not sure what happened with Comodo in the past couple of years. I used to love their firewall and "secure" browser products- but then they stripped features from their free firewall option, and added sponsored links to the address bar autocomplete results! Literally a complete 180 from impressions of privacy and security I originally had of the company.
Who do you guys trust for your wildcards needs? Assuming you were to build a super cheap side project on the weekends and you needed subject alternative names for your first-level subdomains.
We have confirmed that Comodo submitted Requests for Express Abandonment for all three trademark registration applications in question. We’re happy to see this positive step towards resolution, and will continue to monitor the requests as they make their way through the system.
We’d like to thank our community for their support.
I've uninstalled some software I've paid good money for as a result of this behavior. Further Comodo will net exactly zero recommendations from me until this behavior is rectified.
Those bastards. I tried emailing sales@comodo.com but their mailing server falsely bounced my message saying there was a virus attached (I use anti-virus on my mail server.)
I called them and told their tech support guy about their broken mail server, and told him to check out letsencrypt.org and see how his company is trying to infringe on trademarks to bully their open-source competition, and that he should find a better employer.
I disagree. I think it's important to show that multiple people decided to donate because of this single comment. It's prompted me to donate to Let's Encrypt.
It's not humor-policing to point out that HN has a different culture and comments serve a different purpose here. I like pun threads - but I go to /r/jokes when I want them. Here, I expect a certain sort of signal - insight from experienced and intelligent people working hard on interesting technical problems.
This isn't to say that humor should be verboten, or pun threads strictly banned - but they're definitely not what HN has been about historically, and arguably should not be encouraged if we want HN to continue serving whatever role it serves. There are more places like /r/jokes than HN on the net, after all.
I don't want to be petty... but your comment would have a lot more weight if you made it with your primary account.
That said, I agree with all your points... but we're humans... Even if most of our time is spent on science, we still get amused by the most silly of things; and if those things help support LetsEncrypt... Hurrah!
HN has a culture of pointing out that obvious, boring jokes have no place here. There's a constant struggle by people to introduce them, but (amongst others) those of us who watched Slashdot flush itself down the toilet of shitty humor are going to police the site because it's what we want.
Isn't it fair to say that the field of computer science has (up until recently, apparently) distinguished itself with its corny humor, dorkiness, and resulting sense of humility? I feel like puns and bad jokes had generally been a special part of the culture of early technologists. It's a little sad to see that give way to a kind of self-important seriousness.
Don't be sad. The one context doesn't really apply to the other because these communities are so different in size and cohesion.
It isn't a question of humor, but of stock humor, which grows like crabgrass on the internet and quickly takes over. I think scott_s got it right years ago: https://news.ycombinator.com/item?id=7609289. Humor that clears the signal/noise threshold does fine here.
Actually, your priggish comment is way more of a buzz-kill in terms of what I expect / hope to find while browsing HN than the spontaneous demonstration of chain-reaction altruism evinced elsewhere in this thread.
Not without turning off CloudFlare. Maybe the CloudFlare Business Plan as well, though I don't know whether it supports multiple non-wildcard certificates.
There is a general lesson here for startups as well.
If you have an important mark, do consider doing an intent-to-use (ITU) application earlier rather than later to prevent poaching of the mark by others.
If you haven't actually used the mark in commerce (e.g., if you are in pure development phase), anybody can go out and file an ITU application for your mark and thereby effectively poach it - even if the person doing it is just trying to extort you (of course, they won't say this is their motive). During this phase, you are vulnerable to such poaching risks. For the vast majority of startups, it probably doesn't matter because no one cares about the typical mark or marks they plan to use when there is nothing yet noteworthy about them. But it can and does happen. Autocad got poached in this fashion when it first started. I had a client that had the domain name gmail.net, planning to use if for "graphics mail" back in the day and they could have blocked Google had they filed a "Gmail" ITU application (they didn't). Particularly if your mark is distinctive and fanciful, and tied to a credible venture, you should not be lax on this issue. At least give it some careful thought even if your decision is to take the poaching risk to avoid what you see as unnecessary up-front costs on legal items. Remember: an ITU application gives priority over someone who has not yet used a mark and it gives it to anyone and his uncle who happens to file it even if they have done nothing yet in your field.
Once you begin to use a mark in interstate commerce, then you get common law protections by which the person who is first to use a mark in a given geographical area automatically gets priority to the mark with that area. This happened with an outfit called Amazon Books in the Minneapolis area at the time Amazon.com launched and they eventually got a settlement payout from Amazon for infringement of their common law trademark rights in that area by the bigger organization. Thus, if you are indeed using a mark in this way, and someone comes along and tries to register a mark (whether ITU or otherwise), you keep your priority over the late arrival and can sometimes even block them from getting the registration (or have it set aside through a formal legal fight). But this is a path with many potential pitfalls. Unless your actual use was open, prominent, and notorious, you may have proof issues to establish it or to establish its extent. Even if you can prove first use and broad extent, you still may have to fight the latecomer and incur large legal expenses in the process. Moreover, if you have not registered your mark, you do not get a "presumption of validity" for it and this leaves it more vulnerable to a legal argument that the mark is not protectible at all (meaning that many people can use it without infringing on others' rights). Or it can be argued that it is at most entitled to weak protection so that a use by another is a slightly unrelated field will not cause customer confusion and hence not infringe even if the mark is protectible. And so on and so on. The situation is just not clean in this scenario or at least can more readily be gummed up by a determined adversary who has "lawyered up."
As someone who has worked for years with early-stage startups, I would be the last to say "go out right away and spend away on legal things" to cover a bunch of theoretical risks. This poaching risk, for most startups, remains primarily theoretical and should not cause you to have to run out and spend a bunch of money on trademark filings before you know if you even have a viable venture. But, for the right cases (good mark, credible venture), it usually pays to be attentive to this issue up front and eliminate the risk through some proactive action.
ISRG is non-profit and its use of this mark was open and widespread. So I can see why they did not go out and incur trademark filing costs to protect a mark that I assume they believed no one could in good faith possibly challenge. This was probably the right judgment to make for their situation. Yet, in hindsight, we can see that the failure to do their own filing has left them vulnerable - not to poaching (as I said, they likely will win) but to having to go through an otherwise unnecessary legal fight to defend what is legitimately theirs.
It is unfortunate and I hope people will give support as needed. In all too many cases, underfunded people or organizations who are in the right do wind up getting overwhelmed by people who simply have more resources and who are determined to make life difficult. Even with a likely winning legal position, someone in this position can wind up having to do some compromise (such as a trademark co-existence agreement) giving the other party significant rights just to resolve the fight. Better to avoid that pressure here if it means enough to the relevant community.