So in summary: the allegations are true, and there's a direct business model created to allow this to exist alongside the traditional certificates system?
Are any other CAs going to be forthcoming on a similar approach, as what is being described is renting certificate lifespan, with hidden cancellation fees. I don't see how this is compatible with the baseline requirements, and seems to reflect a CA further inserting themselves into the chain to confuse subscribers on what precisely they are purchasing with a certificate. A flexible-volume license approach is different than what has been described, to be clear. It is disconcerting that this is phrased as standard operating procedure, and nothing to worry about. - Wayne On Friday, August 2, 2024 at 1:33:10 PM UTC+1 Bruce Morton wrote: > Hi Nick, > > Thanks for passing on the customer email, we’re following up directly > there, and as always, we’d recommend that customers directly reach out to > their account team to discuss their specific needs. > > That said, we think it would be helpful to share the different certificate > licensing models we offer and the details of each. Entrust broadly offers > two models for certificate purchase. The handling of active certificates, > including revocation, differs based on the model chosen by the customer. > > The first model is what we call “unit based” and is what most would > consider the historically traditional approach for certificate offers, > where a customer purchases a certificate for a specific term, that > certificate is paid for up front, and their license is valid through the > expiration date of the certificate. After initial issuance only limited > changes are permitted to the details of the certificate. > > The second model is what we call “subscription” or “pooling”, and this > approach allows a customer to have up to a pre-defined number of > certificates issued and active at any given time during the period of the > subscription. This approach allows customers the flexibility to issue and > change certificates as often as necessary as their needs change, including, > for example, revoking a no-longer needed certificate and issuing a new one > with new organization information or domains, with no additional charges. > At the time of renewal, customers can increase or decrease the number of > certificates that are available under their subscription. If at any time a > customer chooses to fully stop their subscription, then the license period > ends, and under the terms of the agreement we reserve the right to revoke > any unexpired certificates. > > So, depending on the model selected by the customer up front, the approach > differs on how unexpired certificates are handled upon termination, and > both are addressed in our Certificate and Signing Services Terms of Use. In > addition, it is common that terms may be custom negotiated, so the best > course of action, for any individual customer with questions, is to contact > their account representatives directly to discuss. > > We hope this provides some more context to the question here on what our > standard options and practices are. And we have an extensive customer > communications and outreach program underway to ensure that customers > understand their options and to provide uninterrupted support for their > publicly trusted TLS certificates. > > On Thursday, August 1, 2024 at 2:04:05 PM UTC-4 Nick France wrote: > >> Last time this happened (see the thread Jonathan Doe linked to), we did >> see this with customers looking to move to Sectigo - but it was quickly >> remedied with Jeremy and Tim H's help. We haven't seen a problem with >> DigiCert again since. >> >> I will say that we are now seeing the same with Entrust customers who are >> being told that active certificates will be revoked if contracts are not >> renewed, in clear language. >> >> I have privately sent the details of at least one customer to Bruce, and >> hopefully he can confirm this was an error on the part of the Entrust >> employee, or that it is indeed Entrust's policy. >> >> >> Nick >> >> On Thursday, August 1, 2024 at 1:21:58 AM UTC+1 Mike Shaver wrote: >> >>> On Wed, Jul 31, 2024 at 8:19 PM Matt Palmer <[email protected]> wrote: >>> >>>> On Wed, Jul 31, 2024 at 04:02:50PM -0700, 'Bruce Morton' via >>>> [email protected] wrote: >>>> > Without more details about your specific situation, it’s difficult to >>>> > address your concern effectively. Please reach out to me personally, >>>> and I >>>> > will do my best to assist you. >>>> >>>> Given Entrust's perceived past (lack of) transparency in communications, >>>> it might be better if as much of this issue could be resolved in public. >>>> >>>> Can you provide any insight into why any Entrust subscriber may have >>>> gained the impression that "if we did not renew the contract, all active >>>> certificates would be revoked"? Even if that is not Entrust's >>>> intention, the fact that a subscriber may have gotten that impression >>>> from, say, an over-zealous salesperson or poorly-worded email is very >>>> troubling. >>> >>> >>> Have to disagree here, Matt. I don’t think it will be as effective for >>> this discussion to be redacted as it would need to be in order to be >>> public, and still protect J Doe, and I think that we can take Bruce’s offer >>> to investigate in good faith. >>> >>> If it becomes a pattern that’s reported more widely—and I think it would >>> spread quickly, given the visibility of Entrust’s difficulties of late—then >>> we might get to the point of “very troubling”. Let’s not use up all our >>> strong language on the earliest wisps of concern. :) >>> >>> Mike >>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cf625cfc-6355-4e9d-b4c7-37f47a938f9fn%40mozilla.org.
