A Funny Response

First of all, a huge thank you to all involved! I've been using LE certs for a while now on my own domain, and we recently started using them over on gimp.org as well.

I used to be a StartCom customer previously, and found this email a couple of days ago that I thought you'd appreciate (as it appears to be a direct response to everyones efforts here):

Dear StartCom customers,

This electronic mail message was created by StartCom's Administration Personnel:

StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

StartEncrypt is based the StartAPI system to let you get SSL certificate and install the SSL certificate in your web server for free and automatically, no any coding, just one click to install it in your server.

Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:

(1) Not just get the SSL certificate automatically, but install it automatically;

(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;

(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;

(4) Not just low assurance DV SSL certificate, but also high assurance OV SSL certificate and green bar EV SSL certificate;

(5) Not just for one domain, but up to 120 domains with wildcard support;

(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.

StartEncrypt together with StartSSL to let your website start to https without any pain, to let your website keep green bar that give more confident to your online customer and bring to online revenue to you. Let’s start to encrypt now.

Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read.
If you have any question or comments, just click Here ((https://startssl.com/reply) to send your question to us, thanks.

Best Regards
StartCom™ Certification Authority

I have no intention of using these certs now that I've got a solid workflow with LE, but I found it funny that the movement has started changing up business plans for some folks...

It’s a good effort, no doubt it will attract some customers (especially the part about the validity period), but I’d really like seeing them more open about the whole thing:

• OV/EV certs are indeed free, but the annual validation fee has to be paid. That makes sense of course, because they are not supposed to do the necessary paperwork for free, but the message is misleading.
• Revocation fee is not mentioned.
• There seem to be no documentation regarding how that process sitting as a daemon actually works

I bet it’s not the last CA - I say GoDaddy might try this sometime soon

well they DO say that you need class x verification.
but the most important thing is that you at least need class 2 (Identity verification of yourself) to get more than 5 domains on your cert. it’s also needed for wildcards. but for people who prefer longer lifetimes it’s great, because for free you get up to 1 year.

the fact that revocation fee is missing is sad, but most people involved with startssl (those who got the mail are registered there) should know about the fee anyway.

I can’t help being surprised to read the mail you quote and note the English being, let’s say… Limited. (No pun intended. Honestly.)

StartCom is apparently registered as an ‘Ltd’ company and I would have thought they would be able to compose a generic mail, mass distributed to a high number of their existing and potential future clients written in an English containing far less grammatical errors.

Have you been able to confirm the message was actually sent by StartCom Ltd. ?

Personally, I would check before acting upon the message for the benefit of my own sites.

(For the records. My own English is far from perfect. English is just my third language. But I still think that if I worked for StartCom Ltd. and if I had the task to compose an official generic message to the client base, I would take the time to re-read my message more than once before hitting the ‘Send’ button. The message quoted above looks like a ‘first draft’.)

well I get an SPF pass but the email seems to have been sended unencrypted so body can sayit could have been intercepted but well I dont think someone is can intercept a newsletter sent to thousands of people.

it’s for real. https://www.startssl.com/StartEncrypt

That’s great news IMO as it shows that Lets Encrypt is making a really difference and forcing real change. The more providers that do this the better.

and the best thing is that this provides an option for admins who prefer a longer lifetime.

It is an interesting message. Some of the points of comparison with LE are simply incorrect--certbot does, in some situations, install the cert for you (it remains to be seen whether startssl's software will do a better or a worse job in that regard), and LE has never been limited to a single domain. Though I don't think certbot runs natively on Windows, there are plenty of clients that do. Some of the points are misleading at best ("free" cert, once you pay the $200 fee for validation, plus an additional fee if you ever have to revoke).

OTOH, LE doesn't do OV/EV certs, and doesn't appear to have any plans to; this could be a good alternative for folks who want or need such certs. And they're good for over 90 days, for whoever still thinks that matters.

...but this seems awfully close to the line of trademark infringement.

Just to clarify, that quote

Is not actually mine, but rather a quote from the email I received. I just didn't want to give anyone the wrong impression.

Yes, thanks for the clarification. I’m not suggesting you’re infringing Let’s Encrypt’s trademark, but that StartSSL might be.

keeping the revoke fee aside, how abour you read this part of the email again.

and as I already said as this was posted in a newsletter email, the people who got this are already involed in SSSL and therefore should know that validation costs some money.

I dont really think so as they are just using it as a sentence and by that measure a sentence like "start using SSL now!" could also be close to trademark problems.
and even if it is a pun on LE , when you use something that can also be used as a normal phrase this is bound to happen.
I dont think that yahoo could get anyone into court just because they use their "trademark" the way it is normally used (as "an exclamation of joy" (quote by wiktionary).

Fair enough. I still think it's kind of misleading, but the statement on https://www.startssl.com/StartEncrypt is a bit clearer.
On the closing sentence, I guess it's unlikely to cause any confusion (unlike Comodo's nonsense), but there's also no way it was written without intending that people think of LE.

well LE was already directly mentioned in the post so it wouldnt even be needed to give a subtle hint at LE

Yeah, a well-known issue... [quote="Biker, post:4, topic:17115"]
StartCom is apparently registered as an 'Ltd' company and I would have thought they would be able to compose a generic mail, mass distributed to a high number of their existing and potential future clients written in an English containing far less grammatical errors.
[/quote]

They are based in Israel. So at least English is not there native language.[quote="Biker, post:4, topic:17115"]
Have you been able to confirm the message was actually sent by StartCom Ltd. ?
[/quote]

See my already linked Stackexchange question:

You can also find the message on the StartSSL blog.

I'll just summarize this with: Marketing slang.
That's also a good thing of Let's Encrypt: They are non-profit, so we will never hear such marketing slang from them.

Yeah, I also had to read this line many times: I mean already the name "StartEncrypt" is an allusion...
But, again: Marketing matters. I just hope people won't confuse Let's Encrypt and StartEncrypt. I mean probably that's the reason for the similar name, but I don't want to spread conspiracy things here...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.