There is a general lesson here for startups as well.
If you have an important mark, do consider doing an intent-to-use (ITU) application earlier rather than later to prevent poaching of the mark by others.
If you haven't actually used the mark in commerce (e.g., if you are in pure development phase), anybody can go out and file an ITU application for your mark and thereby effectively poach it - even if the person doing it is just trying to extort you (of course, they won't say this is their motive). During this phase, you are vulnerable to such poaching risks. For the vast majority of startups, it probably doesn't matter because no one cares about the typical mark or marks they plan to use when there is nothing yet noteworthy about them. But it can and does happen. Autocad got poached in this fashion when it first started. I had a client that had the domain name gmail.net, planning to use if for "graphics mail" back in the day and they could have blocked Google had they filed a "Gmail" ITU application (they didn't). Particularly if your mark is distinctive and fanciful, and tied to a credible venture, you should not be lax on this issue. At least give it some careful thought even if your decision is to take the poaching risk to avoid what you see as unnecessary up-front costs on legal items. Remember: an ITU application gives priority over someone who has not yet used a mark and it gives it to anyone and his uncle who happens to file it even if they have done nothing yet in your field.
Once you begin to use a mark in interstate commerce, then you get common law protections by which the person who is first to use a mark in a given geographical area automatically gets priority to the mark with that area. This happened with an outfit called Amazon Books in the Minneapolis area at the time Amazon.com launched and they eventually got a settlement payout from Amazon for infringement of their common law trademark rights in that area by the bigger organization. Thus, if you are indeed using a mark in this way, and someone comes along and tries to register a mark (whether ITU or otherwise), you keep your priority over the late arrival and can sometimes even block them from getting the registration (or have it set aside through a formal legal fight). But this is a path with many potential pitfalls. Unless your actual use was open, prominent, and notorious, you may have proof issues to establish it or to establish its extent. Even if you can prove first use and broad extent, you still may have to fight the latecomer and incur large legal expenses in the process. Moreover, if you have not registered your mark, you do not get a "presumption of validity" for it and this leaves it more vulnerable to a legal argument that the mark is not protectible at all (meaning that many people can use it without infringing on others' rights). Or it can be argued that it is at most entitled to weak protection so that a use by another is a slightly unrelated field will not cause customer confusion and hence not infringe even if the mark is protectible. And so on and so on. The situation is just not clean in this scenario or at least can more readily be gummed up by a determined adversary who has "lawyered up."
As someone who has worked for years with early-stage startups, I would be the last to say "go out right away and spend away on legal things" to cover a bunch of theoretical risks. This poaching risk, for most startups, remains primarily theoretical and should not cause you to have to run out and spend a bunch of money on trademark filings before you know if you even have a viable venture. But, for the right cases (good mark, credible venture), it usually pays to be attentive to this issue up front and eliminate the risk through some proactive action.
ISRG is non-profit and its use of this mark was open and widespread. So I can see why they did not go out and incur trademark filing costs to protect a mark that I assume they believed no one could in good faith possibly challenge. This was probably the right judgment to make for their situation. Yet, in hindsight, we can see that the failure to do their own filing has left them vulnerable - not to poaching (as I said, they likely will win) but to having to go through an otherwise unnecessary legal fight to defend what is legitimately theirs.
It is unfortunate and I hope people will give support as needed. In all too many cases, underfunded people or organizations who are in the right do wind up getting overwhelmed by people who simply have more resources and who are determined to make life difficult. Even with a likely winning legal position, someone in this position can wind up having to do some compromise (such as a trademark co-existence agreement) giving the other party significant rights just to resolve the fight. Better to avoid that pressure here if it means enough to the relevant community.
My experience(s) with Comodo have been well short of awe-inspiring and their reputation certainly isn't great - to me, this is just another mark against them.
It seems Comodo is obviously lashing out because the only value their service provides is the (ultimately artificial) trust in their CA. And now there's a new player on the scene that not only is free, but provides more value in terms of ease of use and just as much trust.
They were correct to believe that no one could in good faith do what Comodo are doing.
There is no way that Comodo are acting in good faith and any claim otherwise is either an outright lie or (if anyone claiming good faith genuinely believes that to be true) complete stupidity. Or both.
Never rely on good faith from your competitors.
Let's Encrypt is a noble good-for-everyone effort so it depressing that there those out there that will do it harm.
We're making it possible for everyone to experience a secure and privacy-respecting Web.
We make it easy to get certificates for HTTPS, because ease of use is critical for adoption.
We provide certificates free of charge, because cost excludes people.
Our certificates are available in every country in the world, because the secure Web is for everyone.
We strive to be open and transparent, because these values are essential for trust.
Their browser extensions break browser security: https://news.ycombinator.com/item?id=11021633 https://news.ycombinator.com/item?id=9091917
They issued fraudulent SSL certificates in 2011: https://www.schneier.com/blog/archives/2011/03/comodo_group_...
Moxie had an amusing anecdote about this incident in his Blackhat 2011 talk "SSL and the future of authenticity". Apparently the same IP as was used by the "sophisticated attacker" and disclosed by Comodo downloaded sslsniff from moxies server the next day, referred by a video tutorial about intercepting SSL..
> While this site's certificate is technically valid, it was issued by an untrustworthy (citation) agency (link to Comodo).
This should be included as a warning for every website that has their cert: https://en.wikipedia.org/wiki/Comodo_Group#Controversies
Perhaps this group could publish reports periodically so that they can then be picked up and bundled into browsers - that way you're not constantly sending [trackable] cert requests to a 3rd party, and you already have the cert info so there's no query server to DDoS.
Maybe Firefox could incorporate it into the TLS info popup and possibly the HTTPS icon... Chrome never would; this idea goes way too close to the advertising industry.
An extension would be nice, but something like this would never go viral so would never get adoption. Native browser integration would be a must.
Also, mozilla.org's cert is by DigiCert. What's their track record?
If it helps I'll advise any companies I consult to do the same until this changes. Money is the only thing this company will understand.
No entirely, but mostly: seeing as this is my job, I should have some idea. Currently writing a post about how we've used some psych techniques to automate the non-automatable parts which I'll post on HN.
> (and they're a dumb idea anyway)
EV matches identity to public keys. Nothing more, nothing less.
If you need EV, we (https://certsimple.com) specialise in making those background checks far less painless with a bunch of unique tech. This means you get your certificate faster and with a lot less effort on your behalf (and a lot more on ours) during the verification process: https://certsimple.com/about
If a DV cert is fine, go with Let's Encrypt (Hi Richard!), dnsimple (Hi Anthony!) or CloudFlare (Hi John and Filippo!) or Heroku.
Pricing starts at 220€ per year, in case anyone is interested.
If I recall, StartSSL sort of hoists their EV identity-verification out into its own step before you actually apply for certs. The identity-verification process costs money (and it can't not; it involves paying real people to do background checks), but any EV certs issued to a verified identity are free.
I think what this will mean is that, if you do an ACME request to StartSSL using an identity they've verified—and for a domain associated with that identity—then the cert in the response will automatically be an EV cert.
This is pretty huge, in that usually EV certs cost a large amount per issuance—whereas a pre-verified ACME-issued cert effectively has zero marginal cost to reissue. Previously, EV certs were usually used only for apex domains, with a secondary DV cert collecting the internal SANs together—because the DV cert had a low (now zero) reissuance cost, while the EV cert cost the full amount each time to get reissued. Now you can just use your EV cert for everything, and alter it as suits you: much simpler.
I hope other CAs adopt the same approach; it's a very good idea. (Pie-in-the-sky thought: maybe one day we'll have the equivalent of the semi-automated KYC service providers that have phone apps to scan drivers' licenses, but for corporations. Then issuing EV certs will just mean an API call.)
StartEncrypt, the equivalent of an ACME client for their API, appears to be a closed-source binary blob with no documentation whatsoever (based on what's visible on their product landing page and what's inside the downloaded files).
That was back in 2012 when I worked for a University. Good luck getting those certs though. Their web service was so broken and if you ever asked for a 2nd cert it'd revoke the first one (which is great if you use them for e-mail encryption because now you can't read any of your old e-mails :-P .. that was more of an Outlook/GAL issue though).
I really hate that InCommon was using Comodo considering all the shit they've done (like issue Google and Facebook certs to the Iranian government).
Not entirely, but Let's Encrypt could partially automate the verification process (e.g. looking up business entities and contacting their registered agent with an authorization code), and then fully automate obtaining a certificate with those verified credentials.
That's not so bad if you have to do it once a year or better yet once every two years, but I'm not doing that every 3 months.
There's an issue open to allow for the process to be automated, hopefully by the next time I need to renew it'll be available. But as it stands today I went with a paid certificate.
I was just looking at doing this last night for two sites and came to the conclusion that it was too painful.
Far too many products still require manual intervention which is a huge bummer. Synology, VMware, ddwrt etc.
OTOH, lego with Cloudflare DNS challenge proved to be very easy to use with a single command.
Of course that's still like a money printing machine, and wildcards and greenbars are much more. But the deal was pretty fine for my personal domain. To be frank, I would probably have renewed with them.
I use LetsEncrypt in most cases (and have companies I work with donate a portion of what they used to spend) and then DigiCert for EV SAN.
To me, this behavior reinforces that that was the right decision.
How is this company still alive after their numerous security breaches/issue (https://en.wikipedia.org/wiki/Comodo_Group#Controversies) and then on top of those, this thing? They need to go out of business.
So that being said, reading the fine print of what the lawyer had to sign in order to submit the application, shouldn't the lawyer be vulnerable to perjury charges?
Excerpt from http://tsdr.uspto.gov/documentviewer?caseId=sn86790719&docId... :
The signatory believes that: if the applicant is filing the application under 15 U.S.C. § 1051(a), the applicant is the owner of the trademark/service mark sought to be registered; the applicant is using the mark in commerce on or in connection with the goods/services in the application; the specimen(s) shows the mark as used on or in connection with the goods/services in the application; and/or if the applicant filed an application under 15 U.S.C. § 1051(b), § 1126(d), and/or § 1126(e), the applicant is entitled to use the mark in commerce; the applicant has a bona fide intention, and is entitled, to use the mark in commerce on or in connection with the goods/services in the application. The signatory believes that to the best of the signatory's knowledge and belief, no other persons, except, if applicable, concurrent users, have the right to use the mark in commerce, either in the identical form or in such near resemblance as to be likely, when used on or in connection with the goods/services of such other persons, to cause confusion or mistake, or to deceive. The signatory being warned that willful false statements and the like are punishable by fine or imprisonment, or both, under 18 U.S.C. § 1001, and that such willful false statements and the like may jeopardize the validity of the application or any registration resulting therefrom, declares that all statements made of his/her own knowledge are true and all statements made on information and belief are believed to be true.
Let's Encrypt will likely defend their claim, if it comes to it, through the tort of passing off: https://en.wikipedia.org/wiki/Passing_off
Edit: I can English good.
Here's a reasonable article on it: http://www.fr.com/news/prior-user-vs-federal-registrant-whos...
Registration makes trademark ownership clear. It's not essential, but a really good idea.
All that being said, under US law you still have trademark rights even before you register the mark, and ISRG definitely has first use on the Let's Encrypt mark.
> You may challenge an application for trademark registration at the USPTO by filing an opposition with the TTAB within 30 days after it is published in the Official Gazette.
Google could probably provide the information about such a search being made from the lawyer's offices!
I wonder if trademark law has similar incentives to behave irrationally.
This legal advice was been valid at one point.
However, nowadays, willful infringement requires more than just knowledge.
It has for a few years, but the most recent supreme court decision also strongly supports this.
See Halo Electronics v. Pulse electronics (http://www.supremecourt.gov/opinions/15pdf/14-1513_db8e.pdf)
in the concurrence:
First, the Court’s references to “willful misconduct” do
not mean that a court may award enhanced damages
simply because the evidence shows that the infringer
knew about the patent and nothing more.
“failure of an infringer to obtain the
advice of counsel . . . may not be used to prove that the
accused infringer wilfully infringed.”
Maybe lawyers don't peruse the tech news, not even tech lawyers. Well, the lawyer's client most likely does. And really, the lawyer is just filing the request on the client's behalf.
Besides it doesn't matter. A simple web search would have turned up Let's Encrypt. Not doing a simple web search before filing a trademark request is negligence.
18 U.S.C. § 1001 isn't perjury, it's false statements, the same charge as lying to the FBI (Scooter Libby, Rod Blagojevich, Bernie Madoff, etc.). It can still result in prison, though!
Drop this nonsense. It helps no one.
Good luck guys!
The same could possibly be said for Chromium's Root Certificate Policy. It doesn't break the specific trusted tasks but I would say it counts as generally operating in a non-trustworthy way.
Seems dumb on Comodo's part.
That threat is only valid if the other browser vendors do the same thing at the same time, otherwise it's a massive game of prisoner's dilemma.
> Isn't this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can't be decided over a forum post or twitter account or trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!
> One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day????? That is the question!
> What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!
> Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!
Because both approaches are critically centered around the number 90, or something..
It's embarrassing. I hope that CEO is good at other things.
It doesn't seem like there is any good reason for Comodo to do this, other than try protect revenue loss.
You seem to imply there was a time in recent memory where comodo itself was at a level above patent trolls. At a high level, patent trolling is associated with rent collection behaviour and using coercion to profit. I see this as comodo's core business, so I guess I am just quibbling about timeframe.
These snakes are aggressive as hell. They monitor domain registrations and email-bomb anyone in DNS records. Their spam gets through filters and they'll call you up to sell you certs. Fuck them.
[x] First they ignore you,
[x] then they laugh at you,
[x] then they fight you,
[ ] then you win.
- Mahatma Gandhi
[ ] then you ignore them
By "defense" I mean their PR spin, of course. I doubt they'll actually come right out and say "Let's Encrypt is a threat to our revenue and we're attempting to trademark the name under-the-radar so that we can sue them out of existence."
"Verified by: COMODO CA Limited"
Gotcha. Yeah, I thought they meant the LetsEncrypt page.
Well, not entirely; there are market niches that Let's Encrypt doesn't cover: org-validated and extended validation certs, wildcard certs, anyone who needs a cert that expires in years, ECDSA certs (for the time being)...
But theres no doubt that their revenue will be significantly cut, they'll lose shareholder value and need layoffs.
Their industry did it to themselves; a TLS cert company should have 5 engineers, 5 customer support people, and 2 managers, and should charge about 10% of what they do.
IMHO we can't put them in the same basket.
Blatantly registering another companies name as your trademark, within the industry and for the direct product you are competing against is piss poor intimidation. What possible legitimate motive could they have to do this? none. In the best case, it is for the eponymous "defense" package, at worst it is for intimidation.
To me, it's closer to "Joe's Pizza," "Anna's Pizza", and "Arlington Pizza" all selling, well pizza. Could someone confuse Arlington Pizza and Anna's Pizza? Sure, especially if Anna's Pizza is in Arlington and the owner of Arlington Pizza is named Anna. Nevertheless, you can't trademark "<Adjective> Pizza"
> Nevertheless, you can't trademark "<Adjective> Pizza"
Yep, you totally can. Again, because originality has got
nothing to do with trademarks:
Hot Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...
Scratch Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...
Match Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...
Anytime Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...
What I meant is that you can't use your trademark on "<Adjective> Pizza" to exclude anyone else from registering "<Different Adjective> Pizza" and competing with you [edit: under that mark].
Likelihood of confusion is the acid test for trademark infringement:
Also, preventing others from competing with you is completely irrelevant to trademarks. That's more something like what patents do. As far as trademarks go, you can compete all you want, just make sure you don't portray yourself as having the same name as your competitor.
Also with very cheesy and bad grammar.
If that is the case, then its a good thing (IMHO)
The web site had a black banner with white text on the top that stated in high contrast that it was the developer site and no actual transactions would run and tickets could not be purchased if a transaction was attempted here. (even was using a test domain while clearly the live site's domain was in the header)
They still required us to purchase some package to use the certificates on that site. When LE came up we were more then thrilled that we didn't have to fork out extra cash for developing on sites that don't get traffic at all and clearly stated this fact.
I will never go back to StartCom considering how they treated us that day.
It seems more like to that the approval process is strictly to whomever is approving requests at the time because I've also seen several friends get certificates for e-commerce sites that were clearly labeled as the production server and have yet to be revoked after several years of running and becoming successful.
I don't know how StartCom run's the actual process and I could have just been caught on a bad person that day but honestly when you have one bad experience humans tend to avoid going through that again since we are programmed since birth to do this. Of course Let's Encrypt has been more then what we expected and will continue to use them until such time we are required to stop using them!
Go Let's Encrypt - You got this companies support and I'm sure that of many others so don't ever stop fighting!
Badly. We've used their service for five years in clear and constant violation of their ToS, and apart from demanding a one-time hush payment they didn't even pretend care.
StartSSL even changed their CI colours from "green, with red highlights" to "exactly the same shade of blue Let's Encrypt has, with green highlights", I mean come on.
Could be public, could be private (I'd prefer private, since that would make resiliency, competition & experimentation more likely).
The problem is that a single entity can vouch for each site, so if you don't want to trust it, you can't validate the site at all. Moxie's Convergence[¹] proposal - like Carnegie Mellon's Perspectives Project before - avoids this problem by allowing many entities to vouch for the same site.
Most certs are just money printing machines for the orgs in charge of them and I am not surprised they would want to fight back against LE.
Yet somehow, the PCI SSC accepts their scan results as actionable for Level 1-3 compliance.
While I'm sure there are CAs who aren't as egregiously bad as Comodo, it's hard to get around the fact that they basically shouldn't exist as a class, and any CA that isn't working to put itself out of business is sort of hurting the Internet ecosystem.
Another reason to use distributed identity.
Donated to Let's Encrypt.
That this happens was quite foreseeable and occurs quite often if people forget to secure trademarks (I know this won't be a popular opinion because most as I like Letsencrypt and their outstanding service)
EDIT: For example, they probably spent a employee/retained-attorney time worth more than $375 just to put together their Trademark Policy page. 
With the situation now, it's debatable but saying that a trademark 'just provides some advantages' is a bit of an understatement.
If others are doing the same, this would be motivation for Comodo.
> One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day? That is the question!
I'm not sure if he's delusional, or if he honestly thinks this is a "business model". Following that logic, all CAs are copying each other's business model when they offer one-year certificates. I don't have words for this.
Isn't this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can't be decided over a forum post or twitter account or trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!
One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo's 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo's 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that's why they created exactly same 90 day free ssl offering. So why did they choose 90 day????? That is the question!
What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don't! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don't revoke (Unmanaged)!
Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!"
Cheers to LE for standing tall.
Please donate to LE, EFF.
1) We gonna encrypt u
2) Allow us to encrypt!
3) I CAN HAZ NCRYPTON?
 I don't like the term "intellectual property" mostly because people forget or misunderstand what it refers to and how the many various things called "intellectual property" work individually and differently from each other.
and rightfully so, see https://www.eff.org/issues/intellectual-property/the-term
Can someone recommend a good provider for code signing certs?
And when they lose, as it sounds they will, they'll leave the LetsEncrypt brand all the more valuable than before.
There's no reason for a startup to not register a trademark.
They're far too shady these days.
- Oh, I like that what you have. You know what? I WANT it. And I'm going to take it just because I'm bigger than you.
They can go to hell. I'm not renewing my certs with those twats. Bullying is not fine just because is a company instead of a person doing it.
Let's encrypt, the community is with you. I just donated to your cause.
Update, June 24 2016
We have confirmed that Comodo submitted Requests for Express Abandonment for all three trademark registration applications in question. We’re happy to see this positive step towards resolution, and will continue to monitor the requests as they make their way through the system.
We’d like to thank our community for their support.
Someone having a proper email to comodo so it is possible complain directly to them? (1)
I really hope alot of people will complain directly to them so they see this is not ok in no ways and they doing the right thing.
(1) “contact us" on there homepage is just emty for me on my mobile for some reason.
Therefore the question.
This blog reads like sour grapes, and to me, is on the edge of riling up a community to damage a competitor.
I called them and told their tech support guy about their broken mail server, and told him to check out letsencrypt.org and see how his company is trying to infringe on trademarks to bully their open-source competition, and that he should find a better employer.
Unfortunately meta discussions are frowned upon too, so I shouldn't have made this comment either.
This isn't to say that humor should be verboten, or pun threads strictly banned - but they're definitely not what HN has been about historically, and arguably should not be encouraged if we want HN to continue serving whatever role it serves. There are more places like /r/jokes than HN on the net, after all.
That said, I agree with all your points... but we're humans... Even if most of our time is spent on science, we still get amused by the most silly of things; and if those things help support LetsEncrypt... Hurrah!
It isn't a question of humor, but of stock humor, which grows like crabgrass on the internet and quickly takes over. I think scott_s got it right years ago: https://news.ycombinator.com/item?id=7609289. Humor that clears the signal/noise threshold does fine here.
In a comment thread about somebody donating? You must be disappointed often.