I don’t think this is an inherently inappropriate model, as long as the consequences of contract non-renewal are spelled out to the customer clearly enough. When you stop paying Splunk, they sure do delete your stuff with enthusiasm (not that Splunk is necessarily the highest bar for treating customers well).
It seems like it may not have been sufficiently clear to some of the subscriber representatives that this is the case, but that’s a customer management issue and Entrust will deal with the consequences of it. I don’t think it’s bad for the web for these sorts of arrangements to exist, or having pretty much any sort of contractual limitation on certificate lifetimes — normal notAfter expiry, a temporary intermediate, a cert issued to a CA employee for personal use that gets revoked when they leave, etc. After all, these subscribers are supposed to be able to get a new cert deployed in 24 hours anyway, right? :P I would *prefer* that it were done by issuing short-lived certificates, since it’s not super clear to other participants in the ecosystem that there is a “non-emergency” circumstance in which notAfter might be misleading, and revocation checking is not really in a great state generally, but… Mike On Fri, Aug 2, 2024 at 8:43 AM Wayne <[email protected]> wrote: > So in summary: the allegations are true, and there's a direct business > model created to allow this to exist alongside the traditional certificates > system? > > Are any other CAs going to be forthcoming on a similar approach, as what > is being described is renting certificate lifespan, with hidden > cancellation fees. I don't see how this is compatible with the baseline > requirements, and seems to reflect a CA further inserting themselves into > the chain to confuse subscribers on what precisely they are purchasing with > a certificate. A flexible-volume license approach is different than what > has been described, to be clear. > > It is disconcerting that this is phrased as standard operating procedure, > and nothing to worry about. > > - Wayne > > On Friday, August 2, 2024 at 1:33:10 PM UTC+1 Bruce Morton wrote: > >> Hi Nick, >> >> Thanks for passing on the customer email, we’re following up directly >> there, and as always, we’d recommend that customers directly reach out to >> their account team to discuss their specific needs. >> >> That said, we think it would be helpful to share the different >> certificate licensing models we offer and the details of each. Entrust >> broadly offers two models for certificate purchase. The handling of active >> certificates, including revocation, differs based on the model chosen by >> the customer. >> >> The first model is what we call “unit based” and is what most would >> consider the historically traditional approach for certificate offers, >> where a customer purchases a certificate for a specific term, that >> certificate is paid for up front, and their license is valid through the >> expiration date of the certificate. After initial issuance only limited >> changes are permitted to the details of the certificate. >> >> The second model is what we call “subscription” or “pooling”, and this >> approach allows a customer to have up to a pre-defined number of >> certificates issued and active at any given time during the period of the >> subscription. This approach allows customers the flexibility to issue and >> change certificates as often as necessary as their needs change, including, >> for example, revoking a no-longer needed certificate and issuing a new one >> with new organization information or domains, with no additional charges. >> At the time of renewal, customers can increase or decrease the number of >> certificates that are available under their subscription. If at any time a >> customer chooses to fully stop their subscription, then the license period >> ends, and under the terms of the agreement we reserve the right to revoke >> any unexpired certificates. >> >> So, depending on the model selected by the customer up front, the >> approach differs on how unexpired certificates are handled upon >> termination, and both are addressed in our Certificate and Signing Services >> Terms of Use. In addition, it is common that terms may be custom >> negotiated, so the best course of action, for any individual customer with >> questions, is to contact their account representatives directly to discuss. >> >> We hope this provides some more context to the question here on what our >> standard options and practices are. And we have an extensive customer >> communications and outreach program underway to ensure that customers >> understand their options and to provide uninterrupted support for their >> publicly trusted TLS certificates. >> >> On Thursday, August 1, 2024 at 2:04:05 PM UTC-4 Nick France wrote: >> >>> Last time this happened (see the thread Jonathan Doe linked to), we did >>> see this with customers looking to move to Sectigo - but it was quickly >>> remedied with Jeremy and Tim H's help. We haven't seen a problem with >>> DigiCert again since. >>> >>> I will say that we are now seeing the same with Entrust customers who >>> are being told that active certificates will be revoked if contracts are >>> not renewed, in clear language. >>> >>> I have privately sent the details of at least one customer to Bruce, and >>> hopefully he can confirm this was an error on the part of the Entrust >>> employee, or that it is indeed Entrust's policy. >>> >>> >>> Nick >>> >>> On Thursday, August 1, 2024 at 1:21:58 AM UTC+1 Mike Shaver wrote: >>> >>>> On Wed, Jul 31, 2024 at 8:19 PM Matt Palmer <[email protected]> wrote: >>>> >>>>> On Wed, Jul 31, 2024 at 04:02:50PM -0700, 'Bruce Morton' via >>>>> [email protected] wrote: >>>>> > Without more details about your specific situation, it’s difficult to >>>>> > address your concern effectively. Please reach out to me personally, >>>>> and I >>>>> > will do my best to assist you. >>>>> >>>>> Given Entrust's perceived past (lack of) transparency in >>>>> communications, >>>>> it might be better if as much of this issue could be resolved in >>>>> public. >>>>> >>>>> Can you provide any insight into why any Entrust subscriber may have >>>>> gained the impression that "if we did not renew the contract, all >>>>> active >>>>> certificates would be revoked"? Even if that is not Entrust's >>>>> intention, the fact that a subscriber may have gotten that impression >>>>> from, say, an over-zealous salesperson or poorly-worded email is very >>>>> troubling. >>>> >>>> >>>> Have to disagree here, Matt. I don’t think it will be as effective for >>>> this discussion to be redacted as it would need to be in order to be >>>> public, and still protect J Doe, and I think that we can take Bruce’s offer >>>> to investigate in good faith. >>>> >>>> If it becomes a pattern that’s reported more widely—and I think it >>>> would spread quickly, given the visibility of Entrust’s difficulties of >>>> late—then we might get to the point of “very troubling”. Let’s not use up >>>> all our strong language on the earliest wisps of concern. :) >>>> >>>> Mike >>>> >>>> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cf625cfc-6355-4e9d-b4c7-37f47a938f9fn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cf625cfc-6355-4e9d-b4c7-37f47a938f9fn%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquzK7v5On75GRdc%2Bj9U_u%2B8bXr7%2Bp%3D4VGP%3DwtnAC1Kq7w%40mail.gmail.com.
