Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations
Comodo Drops 'Let's Encrypt' Trademark Applications
Was Conflict Just a Miscommunication?Comodo made no new friends last week when it claimed that a nonprofit project, Let's Encrypt, stole its business model. Now, the digital certificate giant says it will not pursue applications it filed last year aimed at securing trademarks using the phrase "Let's Encrypt." (see Let's Encrypt Clashes with Comodo Over Trademark).
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
The Let's Encrypt project gives away domain-validated secure sockets layer/transport layer security certificates. The project, which is supported by the Electronic Frontier Foundation and funded by donations from many vendors, is aimed at increasing the use of encryption by website administrators to improve security and privacy.
Josh Aas, executive director of the Internet Security Research Group, which oversees the Let's Encrypt project, went public last week with the news that Comodo had filed three trademark applications in October 2015 with the U.S. Patent and Trademark Office. Comodo sought trademarks for "Let's Encrypt," "Let's Encrypt with Comodo" and "Comodo Let's Encrypt."
Aas said Let's Encrypt had been trying since March to get Comodo to cancel its applications, but had gotten no response.
Comodo officials have not responded to queries from ISMG. But Aas says the company has now submitted "requests for express abandonment" to the USTPO to cancel the three registrations.
In a posting on Comodo's forum, Robin Alden, the company's CTO, wrote: "Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."
Collaboration?
Collaboration might not exactly be the right word. Alden's spin on the conflict doesn't address the outpouring of animosity toward Comodo after Let's Encrypt took its case public.
Comodo was on the receiving end of scathing comments on Twitter. The company is one of the largest vendors of SSL certificates, and commentators tagged the company as a bully.
Part of the outrage was directed at Comodo CEO Melih Abdulhayoglu, who claimed that Let's Encrypt had copied its business model. Comodo gives away 90-day digital certificates that are valid for one domain for free. The offering is a teaser to get organizations to eventually purchase digital certificates.
The certificates distributed by Let's Encrypt are valid for 90 days, but for a security reason: Certificates with shorter life spans offer a variety of security benefits. Aas maintained Abdulhayoglu was conflating two completely different offerings as being similar. Let's Encrypt and Comodo are in no way competitors, he contended.
Trademark Applications to Lapse
In another post on Comodo's forums, Alden says that his company never intended to take the trademark applications further since Let's Encrypt became operational. That's a dubious explanation, as Let's Encrypt began issuing certificates as part of a beta program in September 2015, about a month before Comodo filed its trademark applications. The project launched near the end of 2014.
Alden went on to write that the applications were already in a state where they would "lapse."
The USTPO's website shows all three applications were last acted on by the agency on Feb. 8, when Comodo was sent a "non-final office action," the term the agency uses for raising a question or issue with a party's application. According to USTPO rules, Comodo has six months to respond before the applications are abandoned.
So while it's true the applications would have eventually fallen by the wayside, the Let's Encrypt project would not have known about plans to let them lapse without word from Comodo.
Let's Encrypt maintained it had asked Comodo several times since March directly and through its attorneys to abandon the applications, but the company refused. Alden contested that characterization, writing "we just hadn't told [Let's Encrypt] we would leave them to lapse."
So from Comodo's view, all of it was just a miscommunication. Aas wrote in an update on June 24: "We're happy to see this positive step toward resolution and will continue to monitor [Comodo's] requests as they make their way through the system."
Hopefully Comodo will learn an important lesson from this experience: You can beat up your commercial competitors, but if you beat up on nonprofits, be prepared for a major backlash.