Hacker News new | past | comments | ask | show | jobs | submit login
Comodo has filed for express abandonment of LetsEncrypt trademark applications (comodo.com)
302 points by FredericJ on June 24, 2016 | hide | past | web | favorite | 93 comments

Evidently the company realized they were fighting a losing battle, particularly after the CEO's disastrous response:


Shows how most CEOs of even large companies are human like everyone else, not the "super mature", "super calculated", "super intelligent" begins they are made out to be. It's also important to note the arrogance - invented the 90 day trial :D

> Shows how most CEOs of even large companies are human like everyone else

Um, it doesn't really say anything about most CEOs, does it?

Actually, I think it shows how this guy is different from others, because he seems more nutty than most people.

How did someone like this become CEO? Or is it just his response to breaking under the pressure for the first time?

Because he founded the company.

In that case, the board is incompetent it seems.

Boards are optional, there simply may not be one.

Dont need basic grammer to fund a company.

It helps to know how to spell "grammar" when you post to HN, though.

Oh the irony

Poe's law[0] applied to grammar?


Muphry's Law.




This is intentional right?

You'd hope.

That whole thread is worth a read. Here is a global forum moderator slating the CEO: https://forums.comodo.com/general-discussion-off-topic-anyth...

Tangential, but what in the hell is with the whole thing where company execs refuse to use "I" in a sentence? Read anything typed up by some founder or something, and you see sentence after sentence deliberately omitting self-reference. Here specifically: "If they have right to it then more than happy to comply"... If they have right to it then I am/we are more than happy to comply. Anytime someone posts email correspondence on HN, it's inevitably a conversation devoid of self-referential terminology, even in totally innocuous sentences. "More than happy to X. Concerned about the thing with Y. Call this afternoon after meeting with Z." It's totally annoying.

I remember reading an article a while back (couldn't find it through Google) that talked about how people with abusive tendencies (which this kind of tortured diatribe seems adjacent to) have an accompanying tendency to psychologically distance themselves from their actions by avoiding first-person constructions, eg. "and then it happened" instead of "and then I did it".

That being said, it sounds like the cause of the omissions of just the words of the first-person constructions this post uses is more likely to be rooted in English being Melih's second language.

Here's another example of what I'm talking about from a recent post on HN [0]. Specifically in that post, an email correspondence goes like this: "Thought sharing this framework with you prior to our convo would make it more efficient. Would love to get your perspective on this when we chat in the morning (your evening)."

See the weird omission of reference to self? Here's something I didn't originally intend to share... The reason I notice this is because I used to type emails like that. I don't know why I used to do that, but I eventually stopped doing it consciously because I thought it sounded weird, and years later noticed it in the situation I mentioned earlier. I find it annoying these days to read people doing it. I totally get what you're saying about ESL, but I'm referring to it happening outside of non-native English speakers. I'm interested in your initial suggestion, though. Thanks!

[0] https://entrepreneurs.maqtoob.com/my-cofounder-said-i-love-w...

The historical example that comes to mind is telegrams, where the sender was charged per word, and consequently people omitted as many words as possible while keeping the message on the right side of comprehensible. Sometimes just barely; Wiki gives this example telegram from Orville Wright:

"Success four flights thursday morning all against twenty one mile wind started from Level with engine power alone average speed through air thirty one miles longest 57 seconds inform Press home Christmas"

I sometimes omit first-person pronouns and some other words when writing text messages, because I find it considerably more difficult to type there. The charitable interpretation I would give is that, if someone writes emails like this, either they're writing on an inconvenient mobile platform now, or they're used to writing on such a platform and write that way even with a proper keyboard.

I know that after I'd spent several years working in Japan and then returned to the United States, both my written and spoken language (English, in this case) had a marked (and remarked upon) paucity of self-referential pronouns.

I'm guessing, in this case, that this is just an ESL thing.

The use of "I" vs "we" has been studied by a lot of people in a lot of different contexts, and intelligent people have arrived at very different conclusions. So I have no idea what a complete lack of attribution means, but I'm leaning towards it being an extreme version of "we". I believe to be an avoidance of personal responsibility and a hamfisted attempt at emotional manipulation, because it has absolutely no influence over logically guided decision making.

With sentences like 'How is that making internet safer???"' I think a simpler explanation would be that he's Posting On Forums While Drunk.

He's speaking English as a second language.


He's Turkish. English isn't his first language.

Given that, I think it is his use of emphatic punctuation throughout the post which gives the impression that he is emotionally tilted, and not speaking in a professional capacity. He is using his public platform to deliver an impassioned rant. I don't think that's a result of him being a non-native speaker.

Assuming that English is his nth language, he could have utilized the services of a proof-reader.

The name Melih sounds Turkish maybe? I'm too lazy to look. But that's a characteristic esl quirk...

One forum post, nine different sentences saying the same thing: "Comodo invented 90 day free certificate".

To me this sounds quite similar to the ownership of the rectangle with rounded corners (I am actually not sure whose side I'm on in either dispute).

> "Comodo invented 90 day free certificate"

It's even sillier than that. Comodo has long offered a 90 day free trial cert. You have to pay to renew.

Let's Encrypt gives a 90 day free cert that's freely renewable as many times as you want along with an API to renew it. These aren't the same business models at all.

As far as I can tell, Let's Encrypt isn't a business model. It's funded by ISRG who describes themselves as a public-benefit corporation and is tax-exempt by the US tax authority. I don't see any direct profit motive for the ISRG itself, though there may be indirect profit benefits to the sponsors[1]. I don't see any direct ways Let's Encrypt takes payment; more likely, their revenue comes from donations.

What I don't get is why the CEO of Comodo, all the people on the thread all seem to assume Let's Encrypt has a business model, and that they are a competitor. The Comodo CEO seemed to keep coming back to that point, taking all of this personally. There is no business model to steal from Comodo because Let's Encrypt is not a business. And people kept responding and upholding that assumption?

Can someone give me a sanity check here on my logic? Am I the only person who sees this?

[1] https://community.letsencrypt.org/t/what-is-the-business-mod...

Let's Encrypt offers something for free that Comodo charges money for. They are a competitor, even if they don't make money.

I think Comodo was crazy here, but I can totally understand why they see Let's Encrypt as a threat.

The Comodo CEO makes it sound as if Let's Encrypt was created to personally target him and his ideas. It's one thing to see Let's Encrypt as an existential threat, it's another to attribute malicious, personal intent on the part of Let's Encrypt. I don't think people are careful to make a distinction between impersonal competition and personal competition when speaking about this.

Also, by your argument, why would any CA allow the ISRG to use their certificates to sign free certificates? In the article I linked, there was a good argument made that creating a free SSL cert creates or enhances the market for more expensive certificates. There's a path open.

"Business model", "business plan" are terms of art which are not necessarily constrained to the profit motive.

Nonprofits need business models too.

I disagree. Not everything need a business model. We only think that because that is normative, not because it is necessarily true.

If by "business model" you mean, "how do we keep the lights going", that's fair. However, that's not the primary mission of Let's Encrypt.

> If by "business model" you mean, "how do we keep the lights going", that's fair.

That was roughly my read. While "business" is frequently used as a synonym for "for profit company", that's not the only definition. Someone saying "that's none of your business" is unlikely to be talking about S corps.

> However, that's not the primary mission of Let's Encrypt.

It's the means by which they accomplish their primary mission. Can't encrypt the world if you can't keep your servers on.

Bittorrent uploaders in general don't have a "business model" but are still a threat and a "competitor" to copyright holders. And are still breaking the law.

The point Comodo guy is trying to make is they invented/own the 90-day certificate, or specifically the magic number 90. If they actually do he has the moral right to be upset (but of course that doesn't mean trademark law or common sense stop being applicable to the words "Let's encrypt")

> invented/own the 90-day certificate

Seriously? Even the US patent office would balk at an application to patent 90-day trials or 90-day certificates. Also, Let's Encrypt isn't doing trials, so patenting the first wouldn't even make sense.

Even if it doesn't... wouldn't Let's Encrypt just be able to change the default to 60 or something like that?

Yeah, but if it was a defensible patent they would still be on the hook for using it at all. Thankfully, Let's Encrypt could show literally hundreds of cases of prior art for X-day trials.

I give him credit for actually talking publicly with people.

Most CEO's hide behind the PR department, or speak only one-way, without replies.

> Most CEO's hide...

As they should when they're so divorced from reality that they provide the justifications that this guy has. Open dialog is nice, but it doesn't mean much when the underlying message is that of hostility.

Yes, but his reply reminded me of the saying 'it is better to keep quiet and be thought a fool, than speak and remove all doubt'.

You'd feel better if he lied to your face?

No, but I'd feel better if he didn't spout a whole pile of gobbledygook. Let's just say that if this were the CEO of the company I was working for when faced with an existential crisis such as 'lets encrypt' I'd be out in a hurry. This can't end well and in spite of the situation he's still the most visible part of Comodo and should have a very cool and wise head at times like these.

If this is any reflection on his mental state and processes Comodo is dead.

I've seen this happen before at a company that I'm too embarrassed to name, where leadership started to behave irrationally like ants infected by zombie fungus. The CEO wanted laptops to be stocked in checkout aisles - where impulse buy items go... I knew right then that we were dead. I don't think this guy has fungus on the brain, but there is an unseen cause: maybe it is ISRG eating his lunch, or maybe the thought of Microsoft doing the same as Win 10 pushes into the corporate environment.

English is his second language. So, some mistakes are OK. But going public while emotional is never a good idea.

I'm loathe to give him credit for publicly saying the most ridiculous things imaginable from one in his position.

Right. I'm glad he spoke publicly because it shines more light on how ridiculous his position is.

He actually tries to justify (or deflect) stealing the Let's Encrypt trademark by claiming LE stole the concept of a 90-day cycle. Ridiculous.

> He actually tries to justify (or deflect) stealing the Let's Encrypt trademark by claiming LE stole the concept of a 90-day cycle. Ridiculous.

You can patent business methods, but saying a 90-day cycle is an "inventive concept" would likely cause a competent attorney to take you to one side and quietly convince you to not point that fifty-caliber BMG at your leg.


That's not really the heart of the issue. He seems to be taking it as a point of honor, as if someone is stealing his business model ... but LE isn't a business.

Comodo might or might have innovated a 90-day free trial. But let's say for a moment that Comodo did invent the 90-day free SSL trial. The intent is for the promotional purpose of purchasing paid products. LE has no paid tiers, and the primary motivation is to help the internet get encrypted, not to sell certificates. What's ridiculous isn't the idea that a 90-day cycle got "stolen", but that the Comodo CEO persistently thought of ISRG as a business competitor when they are not even in business. (No one is fighting you, dude).

What I don't get is why so many people kept playing into that erroneous assumption of his instead of calling him on it.

Just because they are not in it for profit doesn't mean they are not a competitor to his business. It actually makes it worse from a purely business perspective.

Yes, and that's why he wanted the trademark. To kill them.

Sure, but most CEO's tend to determine exactly what their public-facing position IS before speaking. In this case he looks the fool as they're walking back his statements.

"Intellectual copyrights", wtf is that?

> "Intellectual copyrights", wtf is that?

Either someone who doesn't know the law trying to look smart, or someone who does know the law trying to bullshit their way into being able to own more than the union of copyright law, patent law, and trademark law actually allow them to own. Believe it or not, the law doesn't recognize "It's mine because I scream loudly enough" as a valid concept.

"trying to get your loyal but "blind" followers to bully another enterprise via their tweets. It won't work!"

Looks like it works. :D

"You have the power Mike Please make it stop"

-- Paul Christoforo, while being crushed by the internet hate machine.

> Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical.

I can't even imagine what he was thinking when he was saying this. Well, I can imagine dissonance, but not on the level from where this comes. It's literally insane, given it's business, and software business at that.

In the original Comodo forum thread about this issue (where the CEO made some claims about owning the 90-day certificate) there is this new response from a staff member (https://forums.comodo.com/general-discussion-off-topic-anyth...):

> With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.

> Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse.

> We have now communicated this to LE.

On LE's blog post, they mention that they have repeatedly asked Comodo to abandon the applications since March 2016. If Comodo was going to let the applications lapse as they claim, why not communicate this at the earliest opportunity?

To me this is a dodgy answer at best. I am not so familiar with trademark law, but I don't believe that an application "being in a state where it will lapse" is in any way disarmed - it is my impression that Comodo could simply have opted to continue the process, but is pretending that they wouldn't have in order to avoid bad press.

> If Comodo was going to let the applications lapse as they claim, why not communicate this at the earliest opportunity?

Poor internal communication between the people talking with Comodo and the decisionmakers? Not wanting to give the time of day to the competition, lest they avoiding wasting their time and resources? Deferring committing to the decision until the last moment, in case they change their mind? I can buy it.

> it is my impression that Comodo could simply have opted to continue the process, but is pretending that they wouldn't have in order to avoid bad press.

Based on my (non-lawyer) understanding, a trademark application sounds very much like "not a trademark", and an application that Comodo would eventually lose thanks to clear and conflicting objections from the people actually using the term. I don't think they could've continued indefinitely. I think they would have eventually dropped the process, if only through inaction by allowing the application to expire. I can buy that they were at the point where they were planning internally to drop the process.

Not out of any noble reasons, mind you - they'd have dropped it earlier, I think, if those were the cause. Filing in the first place may have been an act of bad faith. It's just not in Comodo's best interests to not fight a loosing battle to the point that it looses them the war, so to speak. Although it might be a bit late for that.

How is it that the Comodo CEO kept assuming Let's Encrypt and ISRG is a business, when it isn't? It's like he's fixated on that assumption and is dragging everyone else into it.

Further, the last time I read through things about trademarks, my understanding is that they don't work the way some of the people posting say it does. Trademarks are influenced by whether it is a distinguishing mark or not. You can lose trademark protection if it comes into common use. Once registered, you have to keep defending it as a distinguishing mark. So I'm not sure where the "paralegal" in that forum thread is coming up with the argument that it somehow works like a "first-to-file" -- the person who possesses the paperwork possesses the right.

Maybe my understanding is incorrect. If it isn't off though, I can see their lawyers saying, Comodo really doesn't have much of a case (but it'd still eat up a lot of time and resources a small non-profit won't have).

The paralegal in that forum thread is also talking about copyright -- and claims some knowledge about it. Yet this issue centers around trademarks, which are very different from copyrights.

Great to see a resolution to this issue, but this doesn't change the huge distrust in the organisation I've now gained. I won't be for the foreseeable future be buying any Comodo service again. They're clearly horribly misaligned with my values.

> thank the Let's Encrypt team for helping to bring it to a resolution.

Translation: Thank you LE team for sending the seething rage of internet masses after us. We surrender.

Glad they gave up, but calling it collaboration and speaking of thanking is silly bullshit.

Unless we see a statement from ISRG or LetsEncrypt, I'm going to assume "collaboration" means capitulation in the face of Internet pitchforks :)

Exactly what I thought.

We are switching our Comodo certs over to Let's Encrypt because certain old Android versions we have to support work with LE certs but not with Comodo. Particularly important for APIs.

The 90 day expiry is a bit of a faff, but we've mostly automated it using acme.sh and automated DNS edits, and now we just need load balancer access (we just moved to new hosts). LE is a godsend and fully up to commercial use in our experience.

After this, there is no way on earth we're giving Comodo money again. I would rather pay Thawte than these bozos.

I've dealt with this issue for years.

Comodo certs have two possible chains. If you want to be supported by older Android (and older iOS) devices, you needed to configure your server to hand out the longer of the chains. When you buy a cert, this is not the chain they will recommend.

This is easy under Linux if you can find the right certs, a huge PITA if you're on IIS.

They do an incredibly poor job of documenting this or informing their support on how to address it.

We switched to Let's Encrypt literally because of this, so that's a direct penalty for their stupidity on this one ;-)

Do you know a writeup anywhere of the cert chain issue? (I ask for idle amusement, no way we're going back to them.)

Oh, and when I say "fully up to commercial use", we plan to use LE certs for our dev instances too (so we're SSL at all stages of development).

No write up anywhere that I ever found. The best investigative tool is the SSLLabs SSL test, which will show you both possible paths from the cert. By looking at which certificates that test shows the server provided, you can divine which path things are going to take.

If you find yourself landing at a root CA which is newer and not trusted by as many devices, those devices won't intelligently realise it's cross-signed, unless you switch the certs the server offers to send them up that path.

I'll never be sure if this is true, but it will be in my memory... User robinalden is the CTO, who I tweeted ~2h before the response was posted (https://twitter.com/viraptor/status/746138644537237504). Given that he only posted 13 times on those forums, I hope I actually caused him to ask Melih what he's doing :)

Let's Encryption updated their blog post:

"Update, June 24 2016

We have confirmed that Comodo submitted Requests for Express Abandonment for all three trademark registration applications in question. We’re happy to see this positive step towards resolution, and will continue to monitor the requests as they make their way through the system.

We’d like to thank our community for their support."

Alas, it's too late to save the business they lost forever from my company and others who switched our business to another provider literally yesterday. Thanks Comodo, for letting us know you are not a company we wish to do business with.

It's amazing how a bit of bad press can expedite such matters. :) Nice try, Comodo, better luck next time.

"A bit" is a bit of an understatement. The Comodo issue was one of the most upvoted on both HN and Reddit.

People immediately realized how much of a terrible company Comodo is and the negative feedback had to have poured in.

Even if you forgive them for this, there's plenty of other reasons to dislike Comodo.

Never used Comodo, and never will.

Beside abusing the legal system, there is something else called right and wrong by common sense. A CEO does not get that really should try a different job.

Too late for me. Already renewed my expiring certs elsewhere yesterday.

I wonder if several hundred people like youself had anything to do with their "express" abandonment.

It's a statement made by what appears to be a new employee, who earlier on in that thread appeared to contradict their CEO.

Melih's arguing on that thread has reached the level of trollbait.

Still, will never buy from them again.

Yup, that reply from the CEO alone is enough for me to never want to buy a cert from Comodo again.

Why do I see this post as "[flagged]"?

This happened on the other link to their message board, and it doesn't surprise me - the CEO has plopped himself in the middle of a very charged issue, making it difficult to discuss the issue without it getting personal. HN is great, due in large part to the moderators knowing what they're doing, but a little more transparency on flagging would be nice (like @dang's unlink and retitle messages). This sort of thing is only going to become more important as information manipulation in old media becomes less effective on people who form their opinions in places like this.

I was wondering this too, seems to have been removed though.

A wise decision to limit losses and a face saving statement. They shouldn't have started this, hopefully a lesson for other companies.

"the trademark issue is now resolved", amazing.

They clearly wanted to put them out of business because they see them as a competitor!

HackerNews has won!

not really, hn still uses certs from comodo. cloudflare still uses certs from comodo. cloudflare and hn dropping comodo would have been close to a win

OK, I won't change my nick to ComodoPhacker this time as I planned to.

Does anyone know a good free alternative to their Comodo Internet Security product? I know there are plenty of free AV products, but I also use its firewall and HIPS features, especially detailed logging.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact