info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Comodo Legal Phishing attack against ISRG?
291 views
Skip to first unread message
john.b...@gmail.com
Jun 26, 2016, 2:15:00 PM6/26/16
to mozilla-dev-s...@lists.mozilla.org
Hello,
The following screenshot is from Comodo's forums. Either their forums have been breached and the account of the CEO is being misused, or this is an actual post from their CEO.
https://imgur.com/7MfFBar
Comodo's CEO seems to be claiming that they created the Let's Encrypt brand and that it is ISRG that is misusing the trademark. From my knowledge of the facts, I would be extremely surprised if that is actually true.
The root inclusion guidelines are designed to ensure that only honest and trustworthy organizations are included as CAs, and that they follow prudent practices for assessing the identity of their subscribers. Accurate assessment of who is entitled to trade under what name is a core comptency of a CA. Failure to make this assessment correctly makes them unfit to issue EV certificates, and possibly other certificate types too.
One of either Comodo or ISRG seem to be conducting a phishing attack on the other, and are using the legal system to make the attack even more effective. I urge the community to examine if one of these companies has violated our standards for inclusion.
If it is ISRG, we should deny their request for inclusion. If it is Comodo, we should remove their root from the trust list and/or remove the EV trust bits.
John
The following screenshot is from Comodo's forums. Either their forums have been breached and the account of the CEO is being misused, or this is an actual post from their CEO.
https://imgur.com/7MfFBar
Comodo's CEO seems to be claiming that they created the Let's Encrypt brand and that it is ISRG that is misusing the trademark. From my knowledge of the facts, I would be extremely surprised if that is actually true.
The root inclusion guidelines are designed to ensure that only honest and trustworthy organizations are included as CAs, and that they follow prudent practices for assessing the identity of their subscribers. Accurate assessment of who is entitled to trade under what name is a core comptency of a CA. Failure to make this assessment correctly makes them unfit to issue EV certificates, and possibly other certificate types too.
One of either Comodo or ISRG seem to be conducting a phishing attack on the other, and are using the legal system to make the attack even more effective. I urge the community to examine if one of these companies has violated our standards for inclusion.
If it is ISRG, we should deny their request for inclusion. If it is Comodo, we should remove their root from the trust list and/or remove the EV trust bits.
John
Steve
Jun 26, 2016, 2:45:33 PM6/26/16
to john.b...@gmail.com, mozilla-dev-s...@lists.mozilla.org
According to Josh, Comodo have filed for abandonment of their three related
applications: https://letsencrypt.org/2016/06/23/defending-our-brand.html
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
applications: https://letsencrypt.org/2016/06/23/defending-our-brand.html
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Jason Milionis
Aug 18, 2016, 9:38:39 AM8/18/16
to mozilla-dev-s...@lists.mozilla.org
Is there still anything to be done for this one here?
0 new messages