This may be getting a bit ahead of the discussion, but... The exact relationship between WoSign and StartCom seems relevant to how these violations should be handled.
Whether browsers decide to distrust WoSign, require CTs for all/future certs, take some other "probationary" decision, or do nothing at all, the relationship between these two CAs needs to be fully understood to properly execute that decision. If WoSign's violations are a result of bad policies/systems, and they own StartCom, should both CAs not face the same oversight/punitive action? If WoSign certs are to be logged in CT, do StartCom certs also need to be logged? If tomorrow, StartCom was to violate the BRs, is that viewed as a separate incident? Or grouped in with the other violations WoSign has had? The question of who owns/operates StartCom has been something the CA/Browser community has wondered about for the last few months. Last night, https://www.letsphish.org was shared to this thread. The contents of that site are currently unavailable for stated legal reasons, but the site can still be accessed through Google's Cache: http://webcache.googleusercontent.com/search?q=cache:https://www.letsphish.org/?part=1 This site made the following claim (and provided supporting documentation): "Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality." The site further claims that Gaohua Wang and Richard Wang are the same person. Previously in this thread, Richard wrote: "[WoSign] shared some facility with StartCom like CRL and OCSP distribution etc." However, the claims raised by LetsPhish.org, the connections between StartCom's StartEncrypt system and WoSign's issuance systems, and other assertions (https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html) have made it obvious that we do not *know* very much. I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) should make a statement about this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
