Re: WoSign’s Ownership of StartCom

[Han Yuwei]

在 2016年9月9日星期五 UTC+8下午5:49:07，Gervase Markham写道：
> Dear m.d.s.policy,
> 
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
> based on our findings and investigation to date.
> 
> The operations of the CA known as StartCom have historically been owned
> and controlled by an Israeli company, number 513747303, called "סטארט
> קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
> be referred to in this document as "StartCom IL". It has normally been
> represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.
> 
> On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
> Hong Kong.[0] This company will be referred to in this document as
> "StartCom HK".
> 
> On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
> created in the UK.[1] This company will be referred to in this document
> as "StartCom UK".
> 
> 100% of the shares of “StartCom CA Ltd” in the UK are listed as being
> owned by "StartCom CA Ltd".[2] This seems circular, but our
> understanding is it actually refers to StartCom HK, which has the same
> name. StartCom UK is documented as having two directors. One is Gaohua
> (Richard) Wang, who will be known to you all as he represents WoSign in
> this forum and at the CAB Forum. The other, appointed last month, is
> Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.
> 
> StartCom HK's 100% ownership appears to give it total control over
> StartCom UK, including the ability to hire and fire directors at will,
> due to a special clause (#73) in the company formation documents.[3]
> 
> StartCom HK's Company Registration Number (CRN) is 2271553, which can be
> looked up at the Cyber Search Centre of the Integrated Companies
> Registry Information System[4] in Hong Kong. There is a requirement for
> registration and a small payment, but the relevant documents have been
> provided by Mozilla. These documents show that:
> 
> * StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]
> 
> * StartCom HK’s documents appear to show it is 100% owned (10,000
> shares) by “WoSign CA Limited”.[6]
> 
> We understand that on or around the 1st of November 2015, ownership of
> all of the shares in StartCom IL was transferred from 15 different
> shareholders (including the majority shareholder, named Revital Nigg) to
> the recently-formed StartCom UK.[7] At around the same time, Gaohua
> (Richard) Wang became the sole director of StartCom IL.[8] Details of
> these changes can be looked up at the appropriate Israeli governmental
> department. They require a payment, but are public records, and the
> relevant documents have been provided by Mozilla.
> 
> So to summarise our understanding: as of today, StartCom IL (sole
> director: Richard Wang) is 100% owned by StartCom UK (two directors:
> Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
> (sole director: Richard Wang), which is 100% owned by the CA WoSign
> (CEO: Richard Wang).
> 
> It is important to note that there is nothing confidential about any of
> the above and none of what is described is illegal. Company ownership
> information in these jurisdictions is public information. CAs have been
> bought and sold in the past. However, the following aspects of the
> situation are problematic:
> 
> A) Mozilla's CA policy has a requirement that:
> 
> "We require that all CAs whose certificates are distributed with our
> software products notify us... when the ownership control of the CA’s
> certificate(s) changes, or when ownership control of the CA’s operations
> changes."[9]
> 
> It seems clear to us from the above account that, if our understanding
> is correct, this transaction fits this requirement - ownership control
> of the CA's operations has changed, and StartCom is now wholly owned and
> controlled by WoSign. However, the change in ownership was not reported
> to Mozilla.
> 
> B) When questioned, representatives of StartCom and WoSign have
> specifically denied that anything had happened which needed to be
> reported to Mozilla, even when this particular clause of the policy was
> drawn to their attention.
> 
> On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
> ownership’ in StartCom.”[10]
> 
> On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
> shareholder of [StartCom IL].”[10]
> 
> On 27th February 2016, Eddy Nigg characterised the relationship as
> follows: “StartCom owns its own roots obviously, operates as usual in
> Israel. ... We have a long-standing business relationship and
> cooperation with WoSign which keeps growing.”[10]
> 
> On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign
> incident problem with StartCom, it is two independent company that one
> registered in China and one located in Israel.”[11]
> 
> C) Though 

Re: [FORGED] Re: WoSign’s Ownership of StartCom

[Gervase Markham]

On 10/09/16 09:23, Percy wrote:
> I found the following info about Andy Ligg.

Percy, this is verging on doxxing. Please can you leave the
investigating of companies and people to the Mozilla CA team? If you
have further observations about StartCom or WoSign's certificate corpus,
those would be welcome.

Thanks :-)

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign’s Ownership of StartCom

[Percy]

On Friday, September 9, 2016 at 2:49:07 AM UTC-7, Gervase Markham wrote:
> Dear m.d.s.policy,
> 
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
> based on our findings and investigation to date.
> 
> The operations of the CA known as StartCom have historically been owned
> and controlled by an Israeli company, number 513747303, called "סטארט
> קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
> be referred to in this document as "StartCom IL". It has normally been
> represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.
> 
> On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
> Hong Kong.[0] This company will be referred to in this document as
> "StartCom HK".
> 
> On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
> created in the UK.[1] This company will be referred to in this document
> as "StartCom UK".
> 
> 100% of the shares of “StartCom CA Ltd” in the UK are listed as being
> owned by "StartCom CA Ltd".[2] This seems circular, but our
> understanding is it actually refers to StartCom HK, which has the same
> name. StartCom UK is documented as having two directors. One is Gaohua
> (Richard) Wang, who will be known to you all as he represents WoSign in
> this forum and at the CAB Forum. The other, appointed last month, is
> Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.
> 
> StartCom HK's 100% ownership appears to give it total control over
> StartCom UK, including the ability to hire and fire directors at will,
> due to a special clause (#73) in the company formation documents.[3]
> 
> StartCom HK's Company Registration Number (CRN) is 2271553, which can be
> looked up at the Cyber Search Centre of the Integrated Companies
> Registry Information System[4] in Hong Kong. There is a requirement for
> registration and a small payment, but the relevant documents have been
> provided by Mozilla. These documents show that:
> 
> * StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]
> 
> * StartCom HK’s documents appear to show it is 100% owned (10,000
> shares) by “WoSign CA Limited”.[6]
> 
> We understand that on or around the 1st of November 2015, ownership of
> all of the shares in StartCom IL was transferred from 15 different
> shareholders (including the majority shareholder, named Revital Nigg) to
> the recently-formed StartCom UK.[7] At around the same time, Gaohua
> (Richard) Wang became the sole director of StartCom IL.[8] Details of
> these changes can be looked up at the appropriate Israeli governmental
> department. They require a payment, but are public records, and the
> relevant documents have been provided by Mozilla.
> 
> So to summarise our understanding: as of today, StartCom IL (sole
> director: Richard Wang) is 100% owned by StartCom UK (two directors:
> Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
> (sole director: Richard Wang), which is 100% owned by the CA WoSign
> (CEO: Richard Wang).
> 
> It is important to note that there is nothing confidential about any of
> the above and none of what is described is illegal. Company ownership
> information in these jurisdictions is public information. CAs have been
> bought and sold in the past. However, the following aspects of the
> situation are problematic:
> 
> A) Mozilla's CA policy has a requirement that:
> 
> "We require that all CAs whose certificates are distributed with our
> software products notify us... when the ownership control of the CA’s
> certificate(s) changes, or when ownership control of the CA’s operations
> changes."[9]
> 
> It seems clear to us from the above account that, if our understanding
> is correct, this transaction fits this requirement - ownership control
> of the CA's operations has changed, and StartCom is now wholly owned and
> controlled by WoSign. However, the change in ownership was not reported
> to Mozilla.
> 
> B) When questioned, representatives of StartCom and WoSign have
> specifically denied that anything had happened which needed to be
> reported to Mozilla, even when this particular clause of the policy was
> drawn to their attention.
> 
> On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
> ownership’ in StartCom.”[10]
> 
> On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
> shareholder of [StartCom IL].”[10]
> 
> On 27th February 2016, Eddy Nigg characterised the relationship as
> follows: “StartCom owns its own roots obviously, operates as usual in
> Israel. ... We have a long-standing business relationship and
> cooperation with WoSign which keeps growing.”[10]
> 
> On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign
> incident problem with StartCom, it is two independent company that one
> registered in China and one located in 

Re: [FORGED] Re: WoSign’s Ownership of StartCom

[Percy]

I found the following info about Andy Ligg.

1) Interestingly, he used addresses/email/phone in HK, UK and Israel various 
domains.
2) He registered various StartEncrypt and StartResell domains in April 2016. 

He is the owner of a list of domains 
epki.cloud  2016-03-25  GODADDY
sccrl.com   2015-05-23  GODADDY.COM, LLC
sslcer.com  2016-05-05  GODADDY.COM, LLC
sslcer.net  2016-05-05  GODADDY.COM, LLC
startauth.com   2016-05-06  GODADDY.COM, LLC
startauth.net   2016-05-06  GODADDY.COM, LLC
startcodesign.com   2016-01-29  GODADDY.COM, LLC
startcom.email  2016-01-18  GODADDY LLC
startencrypt.com2016-04-21  GODADDY.COM, LLC
startencrypt.net2016-04-21  GODADDY.COM, LLC
startesign.com  2016-01-18  GODADDY.COM, LLC
startesign.info 2016-01-18  GODADDY.COM, LLC
startesign.net  2016-01-18  GODADDY.COM, LLC
startesign.org  2016-01-18  GODADDY.COM, LLC
startresell.com 2016-04-27  GODADDY.COM, LLC
startresell.net 2016-04-27  GODADDY.COM, LLC
startssl.biz2016-03-07  GODADDY.COM, INC.
startssl.mobi   2016-03-07  GODADDY.COM, LLC (146)

https://who.is/whois/epki.cloud
Name Andy Ligg
Organization
AddressHong Kong
CityHong Kong
State / Province N/A
Postal Code
Country HK
Phone +44.2079934541
Email webmas...@startcom.uk

https://who.is/whois/startauth.com
startauth.com 
Registered On 2016-05-06
NameAndy Ligg
Organization StartCom CA Limited
Address 4th Floor Imperial House,
Address 15 Kingsway
City London
Postal Code WC2B 6UN
Country UK
Phone+44.2079934170
Email webmas...@startcom.uk

https://who.is/whois/startcodesign.com
startcodesign.com
Name Andy Ligg
Organization StartCom CA Limited
Address 4th Floor Imperial House, 15 K
City London
Postal Code WC2B 6UN
Country UK
Phone +44.2079934541
Email webmas...@startcom.uk

https://who.is/whois/
startssl.biz
Name Andy Ligg
Organization StartCom Limited
Address Ha Sapan 5
City Eilat
Postal Code 8
Country Israel
Phone+972.86344170
webmas...@startssl.com

https://who.is/whois/startencrypt.net
startencrypt.net
Name Andy Ligg
Organization
Address Hong Kong
CityHong Kong
State / ProvinceHK
Postal Code 8
Country HK
Phone+852.2079934308
Email webmas...@startcom.uk


3) https://bugs.chromium.org/p/chromium/issues/detail?id=611672
Certificate Transparency - StartCom CT log server inclusion request
Contact Information:
- Email: c...@startssl.com
- Phone number:  +1.213.341.0329   
- Log Operator: Eddy Nigg, Andy Ligg

Log Server URL: https://ct.startssl.com
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: WoSign’s Ownership of StartCom

[Peter Gutmann]

Peter Kurrasch  writes:

>I would also ask for confirmation that "Andy Ligg" is in fact a real person
>and not a pseudonym adopted by Richard or someone else. The similarity to
>Eddy's name is...remarkable.

Andy Ligg?  The only similar name I saw in Gerv's post was Revital Nigg, who
I'm guessing is Eddy's wife/partner who has a majority holding for legal or
business purposes, which would be perfectly reasonable.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign’s Ownership of StartCom

[Matt Palmer]

Hi Gerv,

On Fri, Sep 09, 2016 at 10:48:26AM +0100, Gervase Markham wrote:
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
> based on our findings and investigation to date.

Thanks for this exhaustive and well-written summary of the investigation. 

Unless there's some contrary evidence presented by representatives of
StartCom and/or WoSign, it seems that StartCom is a fully-controlled
subsidiary of WoSign, and it should be treated as such.  Any sanctions
applied to WoSign-branded roots should thus be similarly applied to
StartCom-branded roots.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign’s Ownership of StartCom

[Richard Wang]

Hi all,

An announcement and disclosure will be made shortly pending completion of the 
business transaction.
We can provide the proof documents to Mozilla to show this transaction is not 
finished if Mozilla think it is necessary.


Regards,

Richard

> On 9 Sep 2016, at 17:47, Gervase Markham  wrote:
> 
> Dear m.d.s.policy,
> 
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
> based on our findings and investigation to date.
> 
> The operations of the CA known as StartCom have historically been owned
> and controlled by an Israeli company, number 513747303, called "סטארט
> קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
> be referred to in this document as "StartCom IL". It has normally been
> represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.
> 
> On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
> Hong Kong.[0] This company will be referred to in this document as
> "StartCom HK".
> 
> On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
> created in the UK.[1] This company will be referred to in this document
> as "StartCom UK".
> 
> 100% of the shares of “StartCom CA Ltd” in the UK are listed as being
> owned by "StartCom CA Ltd".[2] This seems circular, but our
> understanding is it actually refers to StartCom HK, which has the same
> name. StartCom UK is documented as having two directors. One is Gaohua
> (Richard) Wang, who will be known to you all as he represents WoSign in
> this forum and at the CAB Forum. The other, appointed last month, is
> Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.
> 
> StartCom HK's 100% ownership appears to give it total control over
> StartCom UK, including the ability to hire and fire directors at will,
> due to a special clause (#73) in the company formation documents.[3]
> 
> StartCom HK's Company Registration Number (CRN) is 2271553, which can be
> looked up at the Cyber Search Centre of the Integrated Companies
> Registry Information System[4] in Hong Kong. There is a requirement for
> registration and a small payment, but the relevant documents have been
> provided by Mozilla. These documents show that:
> 
> * StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]
> 
> * StartCom HK’s documents appear to show it is 100% owned (10,000
> shares) by “WoSign CA Limited”.[6]
> 
> We understand that on or around the 1st of November 2015, ownership of
> all of the shares in StartCom IL was transferred from 15 different
> shareholders (including the majority shareholder, named Revital Nigg) to
> the recently-formed StartCom UK.[7] At around the same time, Gaohua
> (Richard) Wang became the sole director of StartCom IL.[8] Details of
> these changes can be looked up at the appropriate Israeli governmental
> department. They require a payment, but are public records, and the
> relevant documents have been provided by Mozilla.
> 
> So to summarise our understanding: as of today, StartCom IL (sole
> director: Richard Wang) is 100% owned by StartCom UK (two directors:
> Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
> (sole director: Richard Wang), which is 100% owned by the CA WoSign
> (CEO: Richard Wang).
> 
> It is important to note that there is nothing confidential about any of
> the above and none of what is described is illegal. Company ownership
> information in these jurisdictions is public information. CAs have been
> bought and sold in the past. However, the following aspects of the
> situation are problematic:
> 
> A) Mozilla's CA policy has a requirement that:
> 
> "We require that all CAs whose certificates are distributed with our
> software products notify us... when the ownership control of the CA’s
> certificate(s) changes, or when ownership control of the CA’s operations
> changes."[9]
> 
> It seems clear to us from the above account that, if our understanding
> is correct, this transaction fits this requirement - ownership control
> of the CA's operations has changed, and StartCom is now wholly owned and
> controlled by WoSign. However, the change in ownership was not reported
> to Mozilla.
> 
> B) When questioned, representatives of StartCom and WoSign have
> specifically denied that anything had happened which needed to be
> reported to Mozilla, even when this particular clause of the policy was
> drawn to their attention.
> 
> On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
> ownership’ in StartCom.”[10]
> 
> On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
> shareholder of [StartCom IL].”[10]
> 
> On 27th February 2016, Eddy Nigg characterised the relationship as
> follows: “StartCom owns its own roots obviously, operates as usual in
> Israel. ... We have a long-standing business relationship 

WoSign’s Ownership of StartCom

[Gervase Markham]

Dear m.d.s.policy,

We have been actively investigating reports that WoSign and StartCom may
have failed to comply with our policy on change of control notification.
Below is a summary representing the best of our knowledge and belief,
based on our findings and investigation to date.

The operations of the CA known as StartCom have historically been owned
and controlled by an Israeli company, number 513747303, called "סטארט
קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
be referred to in this document as "StartCom IL". It has normally been
represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.

On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
Hong Kong.[0] This company will be referred to in this document as
"StartCom HK".

On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
created in the UK.[1] This company will be referred to in this document
as "StartCom UK".

100% of the shares of “StartCom CA Ltd” in the UK are listed as being
owned by "StartCom CA Ltd".[2] This seems circular, but our
understanding is it actually refers to StartCom HK, which has the same
name. StartCom UK is documented as having two directors. One is Gaohua
(Richard) Wang, who will be known to you all as he represents WoSign in
this forum and at the CAB Forum. The other, appointed last month, is
Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.

StartCom HK's 100% ownership appears to give it total control over
StartCom UK, including the ability to hire and fire directors at will,
due to a special clause (#73) in the company formation documents.[3]

StartCom HK's Company Registration Number (CRN) is 2271553, which can be
looked up at the Cyber Search Centre of the Integrated Companies
Registry Information System[4] in Hong Kong. There is a requirement for
registration and a small payment, but the relevant documents have been
provided by Mozilla. These documents show that:

* StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]

* StartCom HK’s documents appear to show it is 100% owned (10,000
shares) by “WoSign CA Limited”.[6]

We understand that on or around the 1st of November 2015, ownership of
all of the shares in StartCom IL was transferred from 15 different
shareholders (including the majority shareholder, named Revital Nigg) to
the recently-formed StartCom UK.[7] At around the same time, Gaohua
(Richard) Wang became the sole director of StartCom IL.[8] Details of
these changes can be looked up at the appropriate Israeli governmental
department. They require a payment, but are public records, and the
relevant documents have been provided by Mozilla.

So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).

It is important to note that there is nothing confidential about any of
the above and none of what is described is illegal. Company ownership
information in these jurisdictions is public information. CAs have been
bought and sold in the past. However, the following aspects of the
situation are problematic:

A) Mozilla's CA policy has a requirement that:

"We require that all CAs whose certificates are distributed with our
software products notify us... when the ownership control of the CA’s
certificate(s) changes, or when ownership control of the CA’s operations
changes."[9]

It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.

B) When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.

On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
ownership’ in StartCom.”[10]

On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
shareholder of [StartCom IL].”[10]

On 27th February 2016, Eddy Nigg characterised the relationship as
follows: “StartCom owns its own roots obviously, operates as usual in
Israel. ... We have a long-standing business relationship and
cooperation with WoSign which keeps growing.”[10]

On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign
incident problem with StartCom, it is two independent company that one
registered in China and one located in Israel.”[11]

C) Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking