Dear m.d.s.policy, We have been actively investigating reports that WoSign and StartCom may have failed to comply with our policy on change of control notification. Below is a summary representing the best of our knowledge and belief, based on our findings and investigation to date.
The operations of the CA known as StartCom have historically been owned and controlled by an Israeli company, number 513747303, called "סטארט קומארשל בע”מ", or in English "Start Commercial Ltd". This company will be referred to in this document as "StartCom IL". It has normally been represented in public and the CAB Forum by its COO/CTO, Eddy Nigg. On August 5th, 2015 a new company, "StartCom CA Ltd", was created in Hong Kong.[0] This company will be referred to in this document as "StartCom HK". On August 21st, 2015 a new company, also called "StartCom CA Ltd", was created in the UK.[1] This company will be referred to in this document as "StartCom UK". 100% of the shares of “StartCom CA Ltd” in the UK are listed as being owned by "StartCom CA Ltd".[2] This seems circular, but our understanding is it actually refers to StartCom HK, which has the same name. StartCom UK is documented as having two directors. One is Gaohua (Richard) Wang, who will be known to you all as he represents WoSign in this forum and at the CAB Forum. The other, appointed last month, is Iñigo Barreira, formerly of the CA Izenpe and now of StartCom. StartCom HK's 100% ownership appears to give it total control over StartCom UK, including the ability to hire and fire directors at will, due to a special clause (#73) in the company formation documents.[3] StartCom HK's Company Registration Number (CRN) is 2271553, which can be looked up at the Cyber Search Centre of the Integrated Companies Registry Information System[4] in Hong Kong. There is a requirement for registration and a small payment, but the relevant documents have been provided by Mozilla. These documents show that: * StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5] * StartCom HK’s documents appear to show it is 100% owned (10,000 shares) by “WoSign CA Limited”.[6] We understand that on or around the 1st of November 2015, ownership of all of the shares in StartCom IL was transferred from 15 different shareholders (including the majority shareholder, named Revital Nigg) to the recently-formed StartCom UK.[7] At around the same time, Gaohua (Richard) Wang became the sole director of StartCom IL.[8] Details of these changes can be looked up at the appropriate Israeli governmental department. They require a payment, but are public records, and the relevant documents have been provided by Mozilla. So to summarise our understanding: as of today, StartCom IL (sole director: Richard Wang) is 100% owned by StartCom UK (two directors: Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK (sole director: Richard Wang), which is 100% owned by the CA WoSign (CEO: Richard Wang). It is important to note that there is nothing confidential about any of the above and none of what is described is illegal. Company ownership information in these jurisdictions is public information. CAs have been bought and sold in the past. However, the following aspects of the situation are problematic: A) Mozilla's CA policy has a requirement that: "We require that all CAs whose certificates are distributed with our software products notify us... when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes."[9] It seems clear to us from the above account that, if our understanding is correct, this transaction fits this requirement - ownership control of the CA's operations has changed, and StartCom is now wholly owned and controlled by WoSign. However, the change in ownership was not reported to Mozilla. B) When questioned, representatives of StartCom and WoSign have specifically denied that anything had happened which needed to be reported to Mozilla, even when this particular clause of the policy was drawn to their attention. On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal ownership’ in StartCom.”[10] On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the shareholder of [StartCom IL].”[10] On 27th February 2016, Eddy Nigg characterised the relationship as follows: “StartCom owns its own roots obviously, operates as usual in Israel. ... We have a long-standing business relationship and cooperation with WoSign which keeps growing.”[10] On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel.”[11] C) Though browsers were already in the process of investigating this ownership structure due to independent reports, when a former employee of StartCom attempted to raise broader awareness of these concerns, StartCom responded with legal threats. Without taking a position on the validity of any legal action, we do find it worrying that such disclosure would be met with denials and what appears to be an attempt to suppress this public information, as it does not engender confidence or trust. Additionally, it is notable that StartCom and WoSign, despite this relationship, have continued to exercise two votes in the CAB Forum. Both companies voted on ballots 175, 171, 168, 165, 162, 156 and 153, all of which were voted on after November 1st 2015. (In no case were these the deciding votes.) They also provided both endorsers for ballot 175. By contrast, the CA brands Symantec, Verisign and Thawte together have a single vote because they are controlled by the same company. This latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote per Member company shall be accepted; representatives of corporate affiliates shall not vote.”[12] The purpose of the Mozilla rules on ownership transfer disclosure is to help maintain public trust through transparency. While definitions can never be watertight and entirely clear, we feel that this transaction is not in a grey area, and should have been disclosed. 48 hours ago, we asked representatives of WoSign and StartCom for their comments on these findings, asking them to respond by 08:00 UTC today, but we have not yet had a response on this issue. This issue is recorded as "Issue R" on the list of WoSign issues: https://wiki.mozilla.org/CA:WoSign_Issues Gerv [0] https://opencorporates.com/companies/hk/2271553 [1] https://beta.companieshouse.gov.uk/company/09744347 [2] https://beta.companieshouse.gov.uk/company/09744347/filing-history - choose "Annual return made up to 24 August 2015 with full list of shareholders" [3] https://beta.companieshouse.gov.uk/company/09744347/filing-history - choose "Incorporation Statement of capital on 2015-08-21" [4] https://www.icris.cr.gov.hk/csci/ [5] https://wiki.mozilla.org/images/c/c6/Startcom-hk-details.pdf [6] https://wiki.mozilla.org/images/a/a7/Startcom-hk-ownership.pdf [7] https://wiki.mozilla.org/images/c/c1/Startcom-il-owner-list.pdf [8] https://wiki.mozilla.org/images/d/d8/Startcom-il-director-list.pdf [9] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ [10] These statements were made in emails to the Mozilla CA team, in an email thread questioning the state of the relationship between WoSign and StartCom in light of the Mozilla ownership transparency policy. [11] https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ [12] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.4.pdf _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
