WoSign confirmed to own StartCom
This appeared on the
mozilla.dev.security.policy mailing list two days ago. I figured I'd create a new thread, since circumstances have changed and the previous WoSign thread became a bit of a mess.
So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).
It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.
Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
Additionally, it is notable that StartCom and WoSign, despite this
relationship, have continued to exercise two votes in the CAB Forum. [...]
By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”
I'd say it's pretty clear by this point that neither WoSign nor StartCom are to be trusted anymore.
If you're currently using StartCom or WoSign: Consider moving away to Let's Encrypt (from the EFF and others), which offers free certificates without dodgy crap like this. To make setup easier, you might also want to have a look at Caddy.