In March of 2018, Comodo CA revoked a TLS/SSL certificate issued to Stripe, Inc, a legal business entity incorporated in Kentucky. This certificate had originally been issued to blogger Ian Carroll as part of his effort to scrutinize how Extended Validation SSL certificates are treated in browsers. Ian spoke out on social media after revocation of his certificate, which brought his case to the attention of Comodo CA’s senior management team.
After looking into the matter, we believe we revoked this certificate in error. We extend our apologies to Mr. Carrol for the mistake and offer to issue a new EV certificate to replace his old one. Read on for more detail on why this decision was made and the corrective action we’re taking.
Comodo CA’s Subscriber Agreement prohibits the use of Comodo CA SSL certificates for deceptive or misleading purposes. Section 1.7 reads in part,
1.7. Restrictions. Subscriber shall not:
(i) impersonate or misrepresent Subscriber’s affiliation with any entity,
Likewise, Comodo CA’s Certificate Practices Statement states that one reason for revocation is when the certificate was issued to a person or entity that “impersonated other persons or entities” (4.9.1). This requirement stems from the CA/Browser Forum’s Baseline Requirements, which prohibit the issuance of certificates that are “misleading” (184.108.40.206 (10)).
Mr. Carroll states that he formed Stripe, Inc and ordered his EV SSL certificate specifically because it had the potential for confusion with the popular payments processor of the same name. He published a screen capture on his Twitter feed showing what appeared to be screen clips of two identical sites, one of them the real Stripe payments processor and the other his own spoof site. (Note that if you navigate to the site in question as of May 1, 2018 you will NOT find a counterfeit of the Stripe payment processor’s site but rather an essay titled “Extended Validation Is Broken” in which Mr. Carroll explicitly discusses the name collision between his entity and the better-known Stripe.)
A Comodo CA employee who is not a member of senior management but who does have the authority to make these decisions revoked the certificate based on the sum total of the above. At the time, the senior management team was not involved in that decision, and at no point was any of Comodo CA’s behavior driven by the motivation to silence Mr. Carroll’s opinions on Extended Validation SSL. Mr. Carroll and others have subsequently called our attention to this incident, and upon review, we concur that he made no known attempts to deceive with this certificate and did not create a situation requiring revocation.
Comodo CA’s policy and training up to this point failed to anticipate such a scenario as this one, and therefore, the company’s employees did not receive explicit instruction on how to deal with it. We are updating our policy and employee training to clarify the importance of deceptive, criminal, or harmful use of colliding identities as cause for revocation.
Thank you to Mr. Carroll for bringing this need to our attention.