The former employee of Starcom and author of https://www.letsphish.org/ took the content down, presumably facing legal pressure from StarCom or Wosign. Please see the full site mirror here https://archive.is/8bSp6
On Thursday, September 1, 2016 at 8:50:51 AM UTC-7, Vincent Lynch wrote: > This may be getting a bit ahead of the discussion, but... > > The exact relationship between WoSign and StartCom seems relevant to how > these violations should be handled. > > Whether browsers decide to distrust WoSign, require CTs for all/future certs, > take some other "probationary" decision, or do nothing at all, the > relationship between these two CAs needs to be fully understood to properly > execute that decision. > > If WoSign's violations are a result of bad policies/systems, and they own > StartCom, should both CAs not face the same oversight/punitive action? If > WoSign certs are to be logged in CT, do StartCom certs also need to be > logged? If tomorrow, StartCom was to violate the BRs, is that viewed as a > separate incident? Or grouped in with the other violations WoSign has had? > > The question of who owns/operates StartCom has been something the CA/Browser > community has wondered about for the last few months. > > Last night, https://www.letsphish.org was shared to this thread. The contents > of that site are currently unavailable for stated legal reasons, but the site > can still be accessed through Google's Cache: > http://webcache.googleusercontent.com/search?q=cache:https://www.letsphish.org/?part=1 > > This site made the following claim (and provided supporting documentation): > > "Reviewing StartCom registry in the Israeli company directory reveal that on > November 1st, 2015 all the shares of the private held company were transfered > to a UK based company named "StartCom CA Limited". This company, "StartCom > CA" is owned by Gaohua Wang, who is of Chinese nationality." > > The site further claims that Gaohua Wang and Richard Wang are the same person. > > Previously in this thread, Richard wrote: > > "[WoSign] shared some facility with StartCom like CRL and OCSP distribution > etc." > > However, the claims raised by LetsPhish.org, the connections between > StartCom's StartEncrypt system and WoSign's issuance systems, and other > assertions > (https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html) > have made it obvious that we do not *know* very much. > > I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) > should make a statement about this. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
