Gandi Bar

Home > Internet > comments on gandi's removal of SSL certificate for comments on gandi's removal of SSL certificate for

Our policy has always been to respect our customers and protect their rights, but also protect the rights of other companies and customers. The ‘whois’ accuracy requirement is not only an important part of the ICANN regulations, but also a key aspect in us knowing who are customers are and allowing us to contact them in event of a problem. If you falsify your whois information, we may not be able to contact you if there is a problem, and we don’t know who you are which means we can’t protect you as much as other customers that we can vouch for and validate. Ours is a relationship of mutual trust and respect. Please respect us by giving us accurate information. If you want to enforce privacy, use the various privacy settings to obscure your whois data, but don’t falsify it.

Certificates represent an extra layer of security and trust on the internet. They give customers a sense of security that the website they are visiting can be trusted and the owner is a known individual or entity. If the whois data behind a domain is falsified, a valid certificate cannot be issued, because the owner is not a trusted source. It would be wrong to give an accredited level of trust to a site that is based on deliberately misleading information.

The customer in this case was trying to setup and promote a service to offer users a greater degree of privacy from the information that google collects. This is a noble cause and one that we would be happy to host, but only if it plays by the rules. The customer could have avoided this by:

  • Providing accurate whois information so we know who they are and can vouch for them and issue a certificate with certainty
  • Register a domain that describes the service but does not risk any potential trademark infringement, e.g. (or some combination of that that is avaialbe).

This way we would know who they are and defend their rights to the teeth as we do with all of our customers.

Please note that we weren't contacted by google in this case, but took action based on the falsified Whois data. Google could object to this domain, so it's always good to avoid potential infringement that could cause you to lose a domain in a dispute. 

In the spirit of our ‘no bullshit’ policy, what we could have done better in this example was make more of an effort to contact the customer direct at the point when we knew the certificate was going to be revoked. The address and phone number on the Whois were fake but we should have followed up by email. This was our error and we'll do better next time.