So here’s what happened: Moxie the customer, bought an SSL certificate for his website googlesharing.net from Gandi.net which uses the technology platform of Comodo (rather than reinvent the wheel for SSL). This was a standard certificate for which Gandi.net acts as the Certification Authority. (see https://www.gandi.net/ssl for details).
What Comodo did
Comodo reviewed the SSL cert issued by Gandi and decided to question the information provided by the applicant (Moxie) relating to the certificate. They did this because Moxie had attempted to get a cert for the same (and other) URLs in the past and had done so with falsified information. When they asked Moxie to prove the existence of the company name and address (which were non existent by searches) he was unable to do so. On this basis they revoked the certificate. Comodo told us:
“Moxie gave false and misleading information in the request which is a clear violation of our subscriber agreement so we revoked the cert. We ask for the address and organization details so we capture who we are doing business with. If they give a misleading answer then they violate the terms of the subscriber agreement so we can revoke. “Subscriber shall: … ensure that all information provided to Comodo is complete and accurate”.
Where Comodo went wrong was that they took action against a Gandi customer without telling us OR asking us to check the details and validate. They had no right to revoke without us agreeing to this decision as we are the Certification Authority in this case. The first we heard about it was when we were contacted by Moxie.
What Gandi did
When Moxie contacted us, we asked Comodo what had happened and why. They told us that it had been revoked because of falsifised whois information and fraudulent activity. The fraudulent activity did not relate to the activity of googlesharing (as Moxie claims) but the attempt to secure a certificate using falsified information, which amounts to fraud. Either of these would have been sufficient to revoke the cert.
We then relayed this information to Moxie, but added the ‘goolge trademark violation’ reason which was a mistake and pure speculation from our customer support team. This was a serious error on our part for which we sincerely apologise. Google has not contacted us, and had nothing to do with this. This was our error and ours alone. Sorry about that.
This information was then passed onto TheRegister.co.uk, who published the article without us having had a chance to comment. In fairness to them, they did email the management team, but at 2am CET and the article was published before we could respond.
We then published a blog article underlining the main reason for the revoked cert, which was the false whois data. This was not an attempt to cover things up, but the real reason for the revocation and it has taken us a while to unpick all the storylines (both real and imaginary) to get to the facts.
What Moxie did
Well, Moxie registered his domains and certificates using made up names of people and companies, and fabricated addresses. The addresses do not exist and the people’s names used changed several times but usually can be found in urban dictionary, e.g. http://www.urbandictionary.com/define.php?term=Amory%20Blaine.
As we’ve said before, a certificate is a stamp of approval that a person or organisation is who they say they are. They cannot be based on fraudulent information. So revoking the cert in this case was the right thing to do, just managed badly.
We understand that Moxie is a guy who values privacy (as his googlesharing service suggests), but the ICANN whois regulations are as they are, and the T&Cs of certificate providers require real people/companies too. We value our customers and trust them, but they must trust us too. And providing fake information to us is not the way to do this.
We would welcome Moxie’s comments on this and we’d be happy to issue him a new certificate but only if he provides real information as we expect from anyone.
So for our other customers, there is nothing to worry about. This matter was picked up because of repeated attempts to get certificates with falsified information, and this was the reason it was revoked. We are not going to randomly cancel other customer certificates, and neither is Comodo.
But activity seeking to fabricate information in the whois directory, or to get hold of certificates for nonexistent companies is a risky business. But that’s why most people don’t do this. If you behave like a bad guy you run a serious risk of being perceived as one. Additionally, registering a domain name with other people's brands in it often raises warning flags.
Anyway, that’s the whole story. Everyone had something to contribute to this mess. We have had many discussions with Comodo about this and will continue to do so to improve our processes and prevent this happening again. We would also welcome discussions with Moxie of course. We’d like to apologise to all our customers who have felt confused, unsure or upset during the last couple of days. This was never our intension and we whole heartedly apologise for errors we made in this, and have learnt from the process.
I hope that helps make things clear.
And just to complete the story, TheRegister updated their article with the following addition:
"Update In a sign that the "no bullshit" promise isn't a mere gimmick, Gandi COO Joe White sent us the following reply to a query we sent yesterday:
We certainly acknowledge that we could have handled this better, particularly in not contacting the customer prior to the revocation of the certificate. The reason for the certificate being revoked was because of the inaccurate whois data. Certificates really are a seal of trust, but that cannot be based on falsified whois data. It was right to revoke the certificate for this reason, but not without being in contact with the customer. We have reviewed and changed our processes to rectify this..."