274 comments

[ 5.6 ms ] story [ 204 ms ] thread
Talk about an abuse of the trademark system.
Hm? This seems to be the perfect use of this "intellectual property"[1]. Comodo is trying to deceive people, Let's Encrypt is trying to prevent it by enforcing their trademarks. This is how it's supposed to work.

--

[1] I don't like the term "intellectual property" mostly because people forget or misunderstand what it refers to and how the many various things called "intellectual property" work individually and differently from each other.

(comment deleted)
The fact that Comodo was able to get this far with infringing a trademark just because it wasn't registered is the abuse that I was talking about.
This is disappointing, but not surprising given that Lets Encrypt threatens a large and out-dated revenue stream for Comodo. Thankfully Lets Encrypt is backed by Mozilla and the EFF, they have the resources to defend the brand.

Good luck guys!

Couldn't this sort of behavior be against the Mozilla CA Inclusion Policy and thus grounds for no longer bundling Comodo CA certs?

The same could possibly be said for Chromium's Root Certificate Policy. It doesn't break the specific trusted tasks but I would say it counts as generally operating in a non-trustworthy way.

Seems dumb on Comodo's part.

Probably, but Mozilla will never do it just because of the sheer amount of stuff that will stop working only on their browser.

That threat is only valid if the other browser vendors do the same thing at the same time, otherwise it's a massive game of prisoner's dilemma.

The bullshit the CAs pull never ceases to amaze me.
Comodo in particular has a long history of shady bullshit. Tarring all CAs with that brush strikes me as unduly harsh.
While its fair to say that some CA's are not scum, so many of them have done shady things, and they are basically rent seekers for a product that they spend little on to verify things like identity etc.

Most certs are just money printing machines for the orgs in charge of them and I am not surprised they would want to fight back against LE.

See also "Chromodo", the Chrome fork by Comodo that introduces such incredible security features as turning off the same-origin policy, completely breaking the Internet security model.
Indeed. Their PCI-DSS compliance scanning service is completely useless. Service version fingerprinting only, regardless of binary patch level or actual vulns.

Yet somehow, the PCI SSC accepts their scan results as actionable for Level 1-3 compliance.

PCI verification is a rubber stamp all the way through, is how.
> Tarring all CAs with that brush strikes me as unduly harsh.

While I'm sure there are CAs who aren't as egregiously bad as Comodo, it's hard to get around the fact that they basically shouldn't exist as a class, and any CA that isn't working to put itself out of business is sort of hurting the Internet ecosystem.

What does CA mean in this context?
CA stands for 'certificate authority'. It's an organization that can issue digital certs.
(comment deleted)
(comment deleted)
And that's a bit ironic, given that we rely on them for part of the foundation of internet security... just say'n is all.
CAs charge so much and offer so little value at such high risk. Comodo has already been subverted once before.

Another reason to use distributed identity.

Donated to Let's Encrypt.

The entire CA model is fundamentally broken: I rely on an entity I have no relationship to vouch for entities it has a relationship with. That makes no sense. The way it should work is that I rely on an entity I do have a relationship with to vouch for entities.

Could be public, could be private (I'd prefer private, since that would make resiliency, competition & experimentation more likely).

Technically, you have a relationship: you have their certificate in your computer for your browser to validate against. You can remove it and/or add others.

The problem is that a single entity can vouch for each site, so if you don't want to trust it, you can't validate the site at all. Moxie's Convergence[¹] proposal - like Carnegie Mellon's Perspectives Project before - avoids this problem by allowing many entities to vouch for the same site.

[1] https://en.wikipedia.org/wiki/Convergence_%28SSL%29

You can only imagine it's being done for malicious reasons.

It doesn't seem like there is any good reason for Comodo to do this, other than try protect revenue loss.

It looks like they have nothing left to lose. Acting in bad faith so openly lowers them to the levels of patent-trolls. I can't think of any company which respects its public image doing any new business with them after this news.
> Acting in bad faith so openly lowers them to the levels of patent-trolls.

You seem to imply there was a time in recent memory where comodo itself was at a level above patent trolls. At a high level, patent trolling is associated with rent collection behaviour and using coercion to profit. I see this as comodo's core business, so I guess I am just quibbling about timeframe.

If 'protect revenue loss' is an oblique way of justifying outright theft, then sure.

These snakes are aggressive as hell. They monitor domain registrations and email-bomb anyone in DNS records. Their spam gets through filters and they'll call you up to sell you certs. Fuck them.

The worst possible move by a competitor. Not cool Comodo.
Maybe also one of the stupidest. Comodo are really raising up LetsEncrypt in the eyes of the community, as well as sullying their own brand, by being such dicks, and being so obviously in the wrong.

And when they lose, as it sounds they will, they'll leave the LetsEncrypt brand all the more valuable than before.

It is very disheartening that Comodo, a seller of SSL certs, is attempting to steal some of the attention of Let's Encrypt has put into making a more secure internet. Instead of trying to weasel their way in front of Let's Encrypt a better strategy, in my personal opinion, would be to offer services on top of SSL. (Installing and managing SSL certs is still something a lay person cannot do.)
They already do. LetsEncrypt does not offer EV SSL certs for example.
Learning this, I will not renew my certs with Comodo. This is childish behaviour on Comodos part.

If it helps I'll advise any companies I consult to do the same until this changes. Money is the only thing this company will understand.

I agree. I have an existing cert from Comodo for my personal site, as they were cheap and easy to get when I was looking for one. I will look for another provider when it's time to renew.
Why are you looking for another provider? Just use Lets Encrypt ;-)
Lets encrypt certs are only valid for 3 months. In many situations the auto-renewal stuff is inconvenient. Then its easier to just buy a commercial cert that's valid for a few years.
I always use acme-tiny [0] to set up LE certs. You can follow their README to set up everything, including automatic reneweal cronjob in a couple minutes.

0: https://github.com/diafygi/acme-tiny#readme

That's not always an option. For example, when I was looking into it for google app engine, I came across these directions: http://blog.seafuj.com/lets-encrypt-on-google-app-engine and http://igorartamonov.com/2015/12/lets-encrypt-ssl-google-app...

That's not so bad if you have to do it once a year or better yet once every two years, but I'm not doing that every 3 months.

There's an issue open to allow for the process to be automated, hopefully by the next time I need to renew it'll be available. But as it stands today I went with a paid certificate.

+1

I was just looking at doing this last night for two sites and came to the conclusion that it was too painful.

Far too many products still require manual intervention which is a huge bummer. Synology, VMware, ddwrt etc.

OTOH, lego with Cloudflare DNS challenge proved to be very easy to use with a single command.

The Comodo cert was for 5 years at a total of $25 IIRC. I didn't consider that bad at all, especially as that was add-and-forget.

Of course that's still like a money printing machine, and wildcards and greenbars are much more. But the deal was pretty fine for my personal domain. To be frank, I would probably have renewed with them.

The whole idea is to motivate you to automate the process as far as possible. This is basically a good idea. It's a faff for us at present 'cos we don't have direct access to our load balancers at this moment (just switched hosting), but we're working on that.
(comment deleted)
That counts as a provider too, and a likely one at that.
Let's Encrypt doesn't offer EV certs. Which is reasonable; EV certs can't be automated (and they're a dumb idea anyway), but they're still necessary for some of my sites.
> EV certs can't be automated

No entirely, but mostly: seeing as this is my job, I should have some idea. Currently writing a post about how we've used some psych techniques to automate the non-automatable parts which I'll post on HN.

> (and they're a dumb idea anyway)

EV matches identity to public keys. Nothing more, nothing less.

If you need EV, we (https://certsimple.com) specialise in making those background checks far less painless with a bunch of unique tech. This means you get your certificate faster and with a lot less effort on your behalf (and a lot more on ours) during the verification process: https://certsimple.com/about

If a DV cert is fine, go with Let's Encrypt (Hi Richard!), dnsimple (Hi Anthony!) or CloudFlare (Hi John and Filippo!) or Heroku.

Anecdotally: I fully recommend CertSimple. We used them for an EV cert we needed and not only was it simple to set up the request, but the processing was quick, too!
I can't find pricing on your website. There's a page called 'pricing' that says I can find pricing on the home page. When I click the link, I find a lot of marketing text, but no pricing.
It's right underneath the 'Domain names' box, in to USD / GBP / EUR based on country (which is in turn based on your IP location).
Ok, now I discovered it. Had to put my phone in landscape mode (in portrait mode the website is totally different)

Pricing starts at 220€ per year, in case anyone is interested.

Quick plug for a company I've used: SSLmate (http://sslmate.com) makes cert purchase (for those whom need this) painless and fast. They use Comodo and Geotrust FWIW. I've had my own pain with Comodo through other resellers, and moved on to sslmate and godaddy. Recently moved my home blog (http://scalability.org) to LE. Work (http://scalableinformatics.com) is using godaddy for now, though thinking hard on using sslmate going forward for it (because ... godaddy).
> EV certs can't be automated

Not entirely, but Let's Encrypt could partially automate the verification process (e.g. looking up business entities and contacting their registered agent with an authorization code), and then fully automate obtaining a certificate with those verified credentials.

(Not to sound like an advertisement, but) I got an email from StartCom the other day, saying that they're moving their StartSSL service to work on a similar policy to Let's Encrypt (which I hope means they're just running an ACME server)—but with the proviso that, since they do have the background-checking infrastructure required for EV "trust verification", they've combined the two.

If I recall, StartSSL sort of hoists their EV identity-verification out into its own step before you actually apply for certs. The identity-verification process costs money (and it can't not; it involves paying real people to do background checks), but any EV certs issued to a verified identity are free.

I think what this will mean is that, if you do an ACME request to StartSSL using an identity they've verified—and for a domain associated with that identity—then the cert in the response will automatically be an EV cert.

This is pretty huge, in that usually EV certs cost a large amount per issuance—whereas a pre-verified ACME-issued cert effectively has zero marginal cost to reissue. Previously, EV certs were usually used only for apex domains, with a secondary DV cert collecting the internal SANs together—because the DV cert had a low (now zero) reissuance cost, while the EV cert cost the full amount each time to get reissued. Now you can just use your EV cert for everything, and alter it as suits you: much simpler.

I hope other CAs adopt the same approach; it's a very good idea. (Pie-in-the-sky thought: maybe one day we'll have the equivalent of the semi-automated KYC service providers that have phone apps to scan drivers' licenses, but for corporations. Then issuing EV certs will just mean an API call.)

Unfortunately, it doesn't look like they have plans to use ACME. They do have a public API (StartAPI) for issuance, which is better than nothing, but they definitely missed an opportunity with ACME, IMO. Mainly, being the first CA with OV/EV support that would also benefit from the existing ACME ecosystem (i.e. server auto-configuration).

StartEncrypt, the equivalent of an ACME client for their API, appears to be a closed-source binary blob with no documentation whatsoever (based on what's visible on their product landing page and what's inside the downloaded files).

...oh but they do. If you're in education and are an InCommon member, you get unlimited EV certs. It's pretty nice as you can add read certs to literally every server in your system and not have to abuse a *. cert. Hell you can even add real certs to every AD machine; no more creating your own CA and installing it via a group policy.

That was back in 2012 when I worked for a University. Good luck getting those certs though. Their web service was so broken and if you ever asked for a 2nd cert it'd revoke the first one (which is great if you use them for e-mail encryption because now you can't read any of your old e-mails :-P .. that was more of an Outlook/GAL issue though).

I really hate that InCommon was using Comodo considering all the shit they've done (like issue Google and Facebook certs to the Iranian government).

Turns out I have a Comodo cert expiring soon. Let's see if they do the right thing before I do...
They already refused to back down, even after requests from Let's Encrypt lawyers. Backpedalling now in response to the PR crisis would not be enough, in my opinion. I'd only consider them again if they were to make a decent donation to Let's Encrypt.
I had a Comodo cert expiring in a year or so, but still went with Let's Encrypt since I was setting it up for other domains.
I had one just about to expire, and this was my motivation to switch over to Let's Encrypt.
Well, colour me impressed. Looks like they have indeed done the right thing. Fair's fair, I'm going to go ahead and renew my Comodo cert.
Yeah, the only reason to use them was that they were cheap and now AlphaSSL's resellers are cheaper anyways, $40 wildcards are hard to argue with. Heck, I paid $100 for 3 years on renewal.
Just curious, but do you think companies you consult care enough to switch? It's usually easier to just renew, and I wonder if consultants have the leverage to get customers to care.
We buy EV certs for those sites where the business unit and/or marketing demands it, but otherwise we just use Let's Encrypt. (Small publisher with some paid info sites.)
Is it easier? How automated can you make renewal with Comodo? Even big companies goof and have a few hours of downtime where their cert expired. With Let's Encrypt, you make it not a human's error anymore.
It'd be easy to make a case that Comodo is no longer trustworthy, pointing to several of their past actions, and recommending a switch to a safer provider. If the consultant does the work to make the switch happen, and the cost doesn't increase, I doubt the customer would object.
They couldn't care if I mentioned it and I don't plan to. Renewals often involve just as much work as installing a new cert. This is more about personal recommendations, after I recommend its normally accepted without question.
I've avoided buying a code signing certificate from Comodo just because of their reputation, even though they offered the cheapest price.

To me, this behavior reinforces that that was the right decision.

I am on LetsEncrypt's side to defend their branding. However, Comodo's intent is understandably clear: you take away my business by giving away free certs I screw you in your branding. (not that I agree with this tactic.)
It's a bit like a buggy whip manufacturer registering a trademark on the word 'ford' at the introduction of the model T. Understandable, but not permissible.
They're both bad faith registrations, "understandable" doesn't enter into it.
I've avoided the big issuers for a while now. Big plug for Digicert who are excellent - they're independent (so not conflicted), have great infrastructure (fastest on OSCP), super support and active in pushing standards such as CT, short-lived certs, and adopting .onion support after internal names were deprecated.

I use LetsEncrypt in most cases (and have companies I work with donate a portion of what they used to spend) and then DigiCert for EV SAN.

+1 for Digicert, awesome service. I'm definitely looking at letsencrypt for our next project.
It's quite a bit more than being childish. They're basically saying F U to the security community and to people who want a secure Internet.

How is this company still alive after their numerous security breaches/issue (https://en.wikipedia.org/wiki/Comodo_Group#Controversies) and then on top of those, this thing? They need to go out of business.

It's troubling that an ostensibly security-oriented company would seek to muddy the waters like this and reduce the reliability and integrity of the marketplace.
go with rapidssl - because we use docker and bake our certificates into our vms, we find it hard to use letsencrypt. but we have been very happy with rapidssl (even using it on our apis that serve legacy android devices)
Well done Comodo, this motivated me to donate to Let's Encrypt.

https://letsencrypt.org/donate/

Good idea, your comment motivated me to do the same.
just signed up for a $20/month donation :)
I assume donations directly to Let's Encrypt are tax deductible like EFF donations are - does LE send out tax information for contributors?
Let's Encrypt is part of the Internet Security Research Group, which is an IRS 501(c)(3) public benefit corporation. Contributions are tax deductible in the US.
Eh, I want to donate, but not via PayPal. If anyone relevant is reading this, consider adding more donation methods.
You would think that an organisation with that name would have wallets in a variety of digital currencies.
Me too. What a bunch of goons.
I also just donated, and commenting here to encourage others to do the same.
I donated as well, and this is why:

  We're making it possible for everyone to experience a secure and privacy-respecting Web.

  We make it easy to get certificates for HTTPS, because ease of use is critical for adoption.

  We provide certificates free of charge, because cost excludes people.

  Our certificates are available in every country in the world, because the secure Web is for everyone.

  We strive to be open and transparent, because these values are essential for trust.[1]  
When I read that on Let's Encrypt's website, compared to the immature drivel the Comodo CEO wrote, it is obvious who the "good guys" are here.

[1] https://letsencrypt.org/donate/

I donated, not because they provide an awesome service for free... but because they stand to break up something that's really nasty in the crux of our internet.
Donated.
The anger, the convenience of your link, and the fact I had some cash sitting with Paypal made it easy for me to donate to holding as well. I think there's a lesson in there.

Let's Encrypt is a noble good-for-everyone effort so it depressing that there those out there that will do it harm.

I will never use a Comodo cert again.
There are also others trying to cash in on this. StartSSL recently started a "Start Encrypt" product which is based on similar ideas.
That was my first idea too. I'm surprised LE didn't target them too.
While the naming might be similar, they are actually providing a free ssl cert, right? similar to LE.

If that is the case, then its a good thing (IMHO)

They always provided free "personal" certifcates with a validity of one year. But they market the "Start Encrypt" thing like you now get wildcard and EV certificates for free (which isn't true). Talking about scummy practices...
When hasn't StartCom been scummy?
Never I'm pretty sure - we run a ticket reselling website thru an exchange and tried to use the service to get developer certs for our testing site.

The web site had a black banner with white text on the top that stated in high contrast that it was the developer site and no actual transactions would run and tickets could not be purchased if a transaction was attempted here. (even was using a test domain while clearly the live site's domain was in the header)

They still required us to purchase some package to use the certificates on that site. When LE came up we were more then thrilled that we didn't have to fork out extra cash for developing on sites that don't get traffic at all and clearly stated this fact.

I will never go back to StartCom considering how they treated us that day.

It seems more like to that the approval process is strictly to whomever is approving requests at the time because I've also seen several friends get certificates for e-commerce sites that were clearly labeled as the production server and have yet to be revoked after several years of running and becoming successful.

I don't know how StartCom run's the actual process and I could have just been caught on a bad person that day but honestly when you have one bad experience humans tend to avoid going through that again since we are programmed since birth to do this. Of course Let's Encrypt has been more then what we expected and will continue to use them until such time we are required to stop using them!

Go Let's Encrypt - You got this companies support and I'm sure that of many others so don't ever stop fighting!

> I don't know how StartCom run's the actual process

Badly. We've used their service for five years in clear and constant violation of their ToS, and apart from demanding a one-time hush payment they didn't even pretend care.

wow, thanks for clarifying! :)
Fairly standard scummy marketing though. Once you have the appropriate auth level to generate certificates of the type you desire (a one-off process, or at leas once-per-two-years) every certificate you have signed is free.
For using the word 'Encrypt', or something else?
"StartEncrypt" is rather similar to the (trademarked) Let's Encrypt.

StartSSL even changed their CI colours from "green, with red highlights" to "exactly the same shade of blue Let's Encrypt has, with green highlights", I mean come on.

I see "Start Encrypt" as a capitalist answer to a competing product with (very) cheesy marketing, while what Comodo tries to do is purely malicious.

IMHO we can't put them in the same basket.

It sounds similar enough to me "Let's Encrypt" that it could confuse people. The trademark system is supposed to prevent confusion, which seems to me like what "Start Encrypt" could do. Thus, that also seems to me like a trademark problem.
You may be right (I'm not well-versed in the trademark system), but at least we can agree that this is a more complicated matter than what Comodo is doing. I mean, there is no plausibility in Comodo's case - just plain evil.
I tend to disagree (on the latter point). Encrypt is a generic word here. I don't think it's appropriate (nor consistent with the law) to grant broad trademark protection for generic terms.

To me, it's closer to "Joe's Pizza," "Anna's Pizza", and "Arlington Pizza" all selling, well pizza. Could someone confuse Arlington Pizza and Anna's Pizza? Sure, especially if Anna's Pizza is in Arlington and the owner of Arlington Pizza is named Anna. Nevertheless, you can't trademark "<Adjective> Pizza"

"Encrypt" on its own is generic but the "<Imperative-Verb> Encrypt" form of it doesn't sound generic enough to me. Trademarks don't have to be original to be trademarkable, just not cause confusion. I can see people getting confused by "start encrypt" vs "let's encrypt". There could be a case for trademark confusion there.

> Nevertheless, you can't trademark "<Adjective> Pizza"

Yep, you totally can. Again, because originality has got nothing to do with trademarks:

Hot Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...

Scratch Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...

Match Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...

Anytime Pizza: http://tmsearch.uspto.gov/bin/showfield?f=doc&state=4808:i80...

Absolutely correct that you can trademark those phrases. I thought one thing and typed completely another. My mistake.

What I meant is that you can't use your trademark on "<Adjective> Pizza" to exclude anyone else from registering "<Different Adjective> Pizza" and competing with you [edit: under that mark].

Depends on the adjective. If "Hot Pizza" is granted (it seems to just be an application), which I doubt because that does sound really generic, then probably nobody will be granted "Warm Pizza" or "Sizzling Pizza" because that sounds similar enough to cause confusion.

Likelihood of confusion is the acid test for trademark infringement:

https://en.wikipedia.org/wiki/Trademark_infringement

Also, preventing others from competing with you is completely irrelevant to trademarks. That's more something like what patents do. As far as trademarks go, you can compete all you want, just make sure you don't portray yourself as having the same name as your competitor.

"Let's encrypt" is more subjunctive than imperative, although the distinction is vague in English. "Start Encrypt" is just bad grammar AFAICT.
I agree. There is a difference between using "encrypt" in the title of a product thats core functionality is encryption and the main name of their company; "start". If they modeled most of the marketing and branding on Let's Encrypt, it wouldn't be great but I could understand it.

Blatantly registering another companies name as your trademark, within the industry and for the direct product you are competing against is piss poor intimidation. What possible legitimate motive could they have to do this? none. In the best case, it is for the eponymous "defense" package, at worst it is for intimidation.

> I see "Start Encrypt" as a capitalist answer to a competing product with (very) cheesy marketing

Also with very cheesy and bad grammar.

I didn't believe when I received their email about it and bashing Let's Encrypt initiative. If StartSSL could do it, why they haven't done it years ago? Bunch of scumbags.
I'd love to see Comodo's defense of this.

By "defense" I mean their PR spin, of course. I doubt they'll actually come right out and say "Let's Encrypt is a threat to our revenue and we're attempting to trademark the name under-the-radar so that we can sue them out of existence."

What a scummy business practice. I will not be renewing my remaining Comodo certs.
Ah, the death throes of a big company that suddenly had its business model invalidated.

Well, not entirely; there are market niches that Let's Encrypt doesn't cover: org-validated and extended validation certs, wildcard certs, anyone who needs a cert that expires in years, ECDSA certs (for the time being)...

But theres no doubt that their revenue will be significantly cut, they'll lose shareholder value and need layoffs.

Their industry did it to themselves; a TLS cert company should have 5 engineers, 5 customer support people, and 2 managers, and should charge about 10% of what they do.

And code signing certs, especially those for Windows kernel driver development.
Didn't LE announce they were going to do a name change a few months ago?
No. The "official" client changed names when maintainership was moved to the EFF.
will switch all my comodo certs once they expire.
I've been using LE for all the certs. Free, easy, secure. Hooray!

Cheers to LE for standing tall.

Please donate to LE, EFF.

Your motivation motivated me to donate
Your comment motivated me to think about doing the same.
I'm donating to keep this nested motivation going. :-)
So, "Pay it Forward" is playing out for real on Hacker News to fight mass or criminal surveillance? Hell, I'm in! Threw them some dough. :)
Is there an easy way to switch from CloudFlare's COMODO to Let's Encrypt? If so I'm in !
Not without turning off CloudFlare. Maybe the CloudFlare Business Plan as well, though I don't know whether it supports multiple non-wildcard certificates.
Please refrain from starting and continuing "comment chains". It's not funny and doesn't add to the conversation.
I disagree. I think it's important to show that multiple people decided to donate because of this single comment. It's prompted me to donate to Let's Encrypt.
I also donated I think the feeling of missing out helped sway the decision.
I just donated, but only because the thread got this deep.
Is there any other way to donate but with PayPal? I want to but not through PayPal.
that's what the up-vote button is for
The upvote count is kept private, so it doesn't serve the same purpose of indicating public support for a comment.

Unfortunately meta discussions are frowned upon too, so I shouldn't have made this comment either.

Ah, thanks. I guess I never realized that it was private.
Please refrain from telling people what is not funny. It's not polite and doesn't add to the conversation.
Please refrain from "rules lawyering". It's not funny and doesn't add to the conversation.
your reprehend motivated me to donate
Please refrain from unnecessary humor-policing. It's not helpful and only detracts from the sense of community.
It's not humor-policing to point out that HN has a different culture and comments serve a different purpose here. I like pun threads - but I go to /r/jokes when I want them. Here, I expect a certain sort of signal - insight from experienced and intelligent people working hard on interesting technical problems.

This isn't to say that humor should be verboten, or pun threads strictly banned - but they're definitely not what HN has been about historically, and arguably should not be encouraged if we want HN to continue serving whatever role it serves. There are more places like /r/jokes than HN on the net, after all.

That's fine. I disagree with that policy and this is my way of expressing it.
I don't want to be petty... but your comment would have a lot more weight if you made it with your primary account.

That said, I agree with all your points... but we're humans... Even if most of our time is spent on science, we still get amused by the most silly of things; and if those things help support LetsEncrypt... Hurrah!

I'm assuming they don't have a primary, or they rather avoid the downvotes that people give without actually giving any actual feedback.
It's one thing to have rules, but don't confuse rule following with culture. Culture is emergent, and not something that is policed into place.
HN has a culture of pointing out that obvious, boring jokes have no place here. There's a constant struggle by people to introduce them, but (amongst others) those of us who watched Slashdot flush itself down the toilet of shitty humor are going to police the site because it's what we want.
Isn't it fair to say that the field of computer science has (up until recently, apparently) distinguished itself with its corny humor, dorkiness, and resulting sense of humility? I feel like puns and bad jokes had generally been a special part of the culture of early technologists. It's a little sad to see that give way to a kind of self-important seriousness.
But this isn't the field of computer science, it's HN. HN has developed its own distinct culture, as any long-running online forum does.
Don't be sad. The one context doesn't really apply to the other because these communities are so different in size and cohesion.

It isn't a question of humor, but of stock humor, which grows like crabgrass on the internet and quickly takes over. I think scott_s got it right years ago: https://news.ycombinator.com/item?id=7609289. Humor that clears the signal/noise threshold does fine here.

Fair enough. Thanks for the input, dang.
(comment deleted)
> Here, I expect a certain sort of signal - insight from experienced and intelligent people working hard on interesting technical problems.

In a comment thread about somebody donating? You must be disappointed often.

Actually, your priggish comment is way more of a buzz-kill in terms of what I expect / hope to find while browsing HN than the spontaneous demonstration of chain-reaction altruism evinced elsewhere in this thread.
I'm pretty sure the lawyer would have known about letsencrypt.org and their Let's Encrypt project before filing this.

So that being said, reading the fine print of what the lawyer had to sign in order to submit the application, shouldn't the lawyer be vulnerable to perjury charges?

Excerpt from http://tsdr.uspto.gov/documentviewer?caseId=sn86790719&docId... :

The signatory believes that: if the applicant is filing the application under 15 U.S.C. § 1051(a), the applicant is the owner of the trademark/service mark sought to be registered; the applicant is using the mark in commerce on or in connection with the goods/services in the application; the specimen(s) shows the mark as used on or in connection with the goods/services in the application; and/or if the applicant filed an application under 15 U.S.C. § 1051(b), § 1126(d), and/or § 1126(e), the applicant is entitled to use the mark in commerce; the applicant has a bona fide intention, and is entitled, to use the mark in commerce on or in connection with the goods/services in the application. The signatory believes that to the best of the signatory's knowledge and belief, no other persons, except, if applicable, concurrent users, have the right to use the mark in commerce, either in the identical form or in such near resemblance as to be likely, when used on or in connection with the goods/services of such other persons, to cause confusion or mistake, or to deceive. The signatory being warned that willful false statements and the like are punishable by fine or imprisonment, or both, under 18 U.S.C. § 1001, and that such willful false statements and the like may jeopardize the validity of the application or any registration resulting therefrom, declares that all statements made of his/her own knowledge are true and all statements made on information and belief are believed to be true.

You would have to prove the lawyer knew. It sounds difficult to prove short of an email exchange and I have no idea how the courts work but hopefully you can't get access to a company's emails just by filing a suit based on "I'm pretty sure"
You might argue "due diligence", that as Lets Encrypt appear on a simply internet search the lawyer's claimed ignorance [if they do claim ignorance] shows a wilful act to hide from knowing that it was already an established trademark. There is no way - on balance of probabilities - that any company enlists a trademark lawyer to register a mark without that lawyer first doing an internet search (eg for associations with nefarious businesses [or one's powerful enough to sue you], or negative associations with crime, etc.).

Google could probably provide the information about such a search being made from the lawyer's offices!

I've received legal advice to take care not to discover patents. Because if we knew of the existence of a patent then it could be shown that we were knowingly infringing on the patent.

I wonder if trademark law has similar incentives to behave irrationally.

" Because if we knew of the existence of a patent then it could be shown that we were knowingly infringing on the patent."

This legal advice was been valid at one point. However, nowadays, willful infringement requires more than just knowledge.

It has for a few years, but the most recent supreme court decision also strongly supports this.

See Halo Electronics v. Pulse electronics (http://www.supremecourt.gov/opinions/15pdf/14-1513_db8e.pdf) in the concurrence:

  First, the Court’s references to “willful misconduct” do
  not mean that a court may award enhanced damages
  simply because the evidence shows that the infringer
  knew about the patent and nothing more.
Second, also note:

  “failure of an infringer to obtain the
  advice of counsel . . . may not be used to prove that the
  accused infringer wilfully infringed.”
If not perjury, then negligence. I ran into Let's Encrypt without looking for it. It kept popping up in the tech news section over the past year.

Maybe lawyers don't peruse the tech news, not even tech lawyers. Well, the lawyer's client most likely does. And really, the lawyer is just filing the request on the client's behalf.

Besides it doesn't matter. A simple web search would have turned up Let's Encrypt. Not doing a simple web search before filing a trademark request is negligence.

Particularly a lawyer for a competing service.
I'm also puzzled that Let's Encrypt's Trademark policy [1] strongly suggests that 'Let's Encrypt' is a trademark (word mark?) that they have registered, and yet according to the most recent letter sent by the USPTO [2] "The Office records have been searched and there are no similar registered or pending marks that would bar registration [...]"

[1] https://letsencrypt.org/trademarks/ [2] http://tsdr.uspto.gov/documentviewer?caseId=sn86790719&docId...

I don't see anything in their trademark policy that implies they have registered any of their marks yet. In fact, all the marks in the "included, but not limited to" list use ™ instead of ®, the later which can only be used with registered trademarks. Searching the USPTO database[1] for "let's encrypt" only reveals Comodo's 1B registrations.

All that being said, under US law you still have trademark rights even before you register the mark, and ISRG definitely has first use on the Let's Encrypt mark.

[1] http://tmsearch.uspto.gov/bin/gate.exe?f=login&p_lang=englis...

This seems like a good example of why you should go through the registration though. Because now they are going to have to use the courts to resolve the situation; presumably (I hope?), if they'd registered, a new registration application for the exact same mark would not even be accepted.
There's a challenge period during trademark registration when they can voice their objections. They may be able block it if they're not too late.

> You may challenge an application for trademark registration at the USPTO by filing an opposition with the TTAB within 30 days after it is published in the Official Gazette.

http://www.uspto.gov/page/about-trademarks

Ah, ok. I hadn't realised there was a difference between registering a trademark and just publicly claiming it as your own. That helps to clear up what the situation is here.
You don't have to register trademarks, even though it's a good idea to do so, if only for the sake of clarity. Trademarks can be established through market use (common law usage), which is what Let's Encrypt's claim is based on.

Let's Encrypt will likely defend their claim, if it comes to it, through the tort of passing off: https://en.wikipedia.org/wiki/Passing_off

Edit: I can English good.

So, ..., you are right they can be established, but the interplay with registered trademarks is complicated.

Here's a reasonable article on it: http://www.fr.com/news/prior-user-vs-federal-registrant-whos...

I know. That was why I wrote "even though it's a good idea to do so, if only for the sake of clarity".

Registration makes trademark ownership clear. It's not essential, but a really good idea.

shouldn't the lawyer be vulnerable to perjury charges?

18 U.S.C. § 1001 isn't perjury, it's false statements, the same charge as lying to the FBI (Scooter Libby, Rod Blagojevich, Bernie Madoff, etc.). It can still result in prison, though!

Why did Lets Encrypt not previously register a trademark of their own?
"How to not defend your brand".

This blog reads like sour grapes, and to me, is on the edge of riling up a community to damage a competitor.

It appears that they are trademarked in the UK.
We should remove Comodo from our trusted CAs
This is why people hate CAs.
Out of curiosity: Why didn't Letsencrypt applied for a trademark right at the start?

That this happens was quite foreseeable and occurs quite often if people forget to secure trademarks (I know this won't be a popular opinion because most as I like Letsencrypt and their outstanding service)

It's a fair question, though you don't actually need to register your trademark to "own" it, it just provides some advantages and of course reduces the danger that someone will do what Comodo did.
If Comodo would have actively used "Letsencrypt" as a brand paired with Comodo's registration this case would be crystal clear: Letsencrypt wouldn't own anything.

With the situation now, it's debatable but saying that a trademark 'just provides some advantages' is a bit of an understatement.

That's a bit oversimplified. If LE had used the mark first, and had taken the measure of asking Comodo to stop using it, that would show them protecting their trademark, which would give them a case. The PTO is quite clear that registration is not required for a trademark to be enforceable.
It costs $375 (plus lawyers fees, usually) and I suspect that they just didn't think it was necessary. Lots of organizations haven't and don't bother registering, unless they expect a problem. Lots of volunteer-run software projects have better things to spend money on and just never get around to registering their name as a trademark until someone else tries to steal it out from under them.
When you're a very public open-source project whose brand is so central to success, registration is the better thing to spend their money on. Let's Encrypt did not show good judgment on this one.

EDIT: For example, they probably spent a employee/retained-attorney time worth more than $375 just to put together their Trademark Policy page. [1]

[1] https://letsencrypt.org/trademarks/

Comodo - if you are reading this, you lost about 3000 USD worth of business from me. And someone else is going to gain the same.

Drop this nonsense. It helps no one.