The Internet Security Research Group (ISRG), the non-profit organization that created the Let’s Encrypt Certificate Authority, accused Comodo, one of the major Certificate Authorities (CAs), of trying to register the “Let’s Encrypt” name many months after the service had already been launched by the non-profit. The ISRG includes organizations as the EFF, Mozilla, Cisco, Akamai, and others in its member list.
Almost two years ago, the ISRG non-profit was formed. It then launched the Let’s Encrypt website and announced the free Certificate Authority service. According to the organization, Comodo started applying for at least three separate “Let’s Encrypt” trademarks for three types of certificate services only a few months ago.
The ISRG said that it has used the Let’s Encrypt name since its inception, and many of its partners and the community it created around it recognize it as a service from ISRG that they can trust. The group believes that Comodo would introduce confusion in the community about which service is which and what they can expect from it. If something bad happens to Comodo’s similarly-named services, then the trust in ISRG’s Let’s Encrypt service could be damaged as well.
According to the ISRG, it has asked Comodo to abandon its Let’s Encrypt trademark applications, but so far Comodo has refused to do so. The organization has its attorneys working on the case as well, but it would rather not pursue a lawsuit given its limited resources and because it would be a distraction from improving the service.
Last month, ISRG member EFF announced a next-generation client that would be renamed "CertBot" from "Let’s Encrypt," while the CA service would continue to use the Let’s Encrypt name. Having a different name for the client and the CA service itself is probably a good idea in order to avoid confusing web developers.
As an alternative theory, this may have also been the first step in moving away from the Let’s Encrypt name, if its members believe Comodo will start using the name and if there’s nothing they can do about it anymore. It would also be a waste of resources to continue to promote the Let’s Encrypt name if the group doesn’t have a trademark for it. However, the ISRG may continue to use the name for the CA service until it’s sure it can’t get Comodo to abandon its trademark applications.
Updated, 6/24/2016, 10:15am PT: We've asked both Comodo and the ISRG for further comments and more clarification on this issue. Comodo's CEO posted yesterday that ISRG is the one who is in the wrong here, because it's Comodo that "invented the 90 day free SSL," referring to the company's trial solution. However, the Let's Encrypt certificates from ISRG are not trial because they can be auto-renewed for free, which is not the case with Comodo's solution. For software-based automated Certificate Authority such as Let's Encrypt, it also seems irrelevant whether the certificate period is 90 days, or 60, 100 or 365.
Comodo CTO Robin Alden seems to have backtracked on this a little, and is now saying (via a forum post) that Comodo will allow the trademark applications to "lapse." He also said the company never intended to use them in the first place, but it just didn't tell ISRG about it.
"With LE now being an operational business, we were never going to take the these trademark applications any further. Josh [Aas, ISRG Executive Director] posted a link to the application and as of February 8th it was already in a state where it will lapse," said Alden. "Josh was wrong when he said we’d 'refused to abandon our applications'. We just hadn’t told LE we would leave them to lapse. We have now communicated this to LE," he noted.
For his part, Aas doesn't seem satisfied with this response from Comodo, because he thinks those applications are still a danger until Comodo completely withdraws them:
"Comodo made it very clear to us in their multiple letters to our attorneys that they intended to defend and continue to pursue the trademark applications, up to and including the very recent letter that prompted our public disclosure," Aas told Tom's Hardware. "Their CEO indicated the same thing in their forums within the past day. The latest communication from Comodo's CTO is inconsistent with all previous communications from Comodo to ISRG (Let's Encrypt)." He added, "That said, we look forward to any progress on the abandonment of the trademark applications so that we can all move on. We will not consider the matter closed until the applications are expressly withdrawn. Doing so is a trivial task, and is an option they have had from the beginning. There is no need to wait for a 'lapse.'"
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.