On Friday, September 9, 2016 at 2:49:07 AM UTC-7, Gervase Markham wrote: > Dear m.d.s.policy, > > We have been actively investigating reports that WoSign and StartCom may > have failed to comply with our policy on change of control notification. > Below is a summary representing the best of our knowledge and belief, > based on our findings and investigation to date. > > The operations of the CA known as StartCom have historically been owned > and controlled by an Israeli company, number 513747303, called "סטארט > קומארשל בע”מ", or in English "Start Commercial Ltd". This company will > be referred to in this document as "StartCom IL". It has normally been > represented in public and the CAB Forum by its COO/CTO, Eddy Nigg. > > On August 5th, 2015 a new company, "StartCom CA Ltd", was created in > Hong Kong.[0] This company will be referred to in this document as > "StartCom HK". > > On August 21st, 2015 a new company, also called "StartCom CA Ltd", was > created in the UK.[1] This company will be referred to in this document > as "StartCom UK". > > 100% of the shares of “StartCom CA Ltd” in the UK are listed as being > owned by "StartCom CA Ltd".[2] This seems circular, but our > understanding is it actually refers to StartCom HK, which has the same > name. StartCom UK is documented as having two directors. One is Gaohua > (Richard) Wang, who will be known to you all as he represents WoSign in > this forum and at the CAB Forum. The other, appointed last month, is > Iñigo Barreira, formerly of the CA Izenpe and now of StartCom. > > StartCom HK's 100% ownership appears to give it total control over > StartCom UK, including the ability to hire and fire directors at will, > due to a special clause (#73) in the company formation documents.[3] > > StartCom HK's Company Registration Number (CRN) is 2271553, which can be > looked up at the Cyber Search Centre of the Integrated Companies > Registry Information System[4] in Hong Kong. There is a requirement for > registration and a small payment, but the relevant documents have been > provided by Mozilla. These documents show that: > > * StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5] > > * StartCom HK’s documents appear to show it is 100% owned (10,000 > shares) by “WoSign CA Limited”.[6] > > We understand that on or around the 1st of November 2015, ownership of > all of the shares in StartCom IL was transferred from 15 different > shareholders (including the majority shareholder, named Revital Nigg) to > the recently-formed StartCom UK.[7] At around the same time, Gaohua > (Richard) Wang became the sole director of StartCom IL.[8] Details of > these changes can be looked up at the appropriate Israeli governmental > department. They require a payment, but are public records, and the > relevant documents have been provided by Mozilla. > > So to summarise our understanding: as of today, StartCom IL (sole > director: Richard Wang) is 100% owned by StartCom UK (two directors: > Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK > (sole director: Richard Wang), which is 100% owned by the CA WoSign > (CEO: Richard Wang). > > It is important to note that there is nothing confidential about any of > the above and none of what is described is illegal. Company ownership > information in these jurisdictions is public information. CAs have been > bought and sold in the past. However, the following aspects of the > situation are problematic: > > A) Mozilla's CA policy has a requirement that: > > "We require that all CAs whose certificates are distributed with our > software products notify us... when the ownership control of the CA’s > certificate(s) changes, or when ownership control of the CA’s operations > changes."[9] > > It seems clear to us from the above account that, if our understanding > is correct, this transaction fits this requirement - ownership control > of the CA's operations has changed, and StartCom is now wholly owned and > controlled by WoSign. However, the change in ownership was not reported > to Mozilla. > > B) When questioned, representatives of StartCom and WoSign have > specifically denied that anything had happened which needed to be > reported to Mozilla, even when this particular clause of the policy was > drawn to their attention. > > On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal > ownership’ in StartCom.”[10] > > On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the > shareholder of [StartCom IL].”[10] > > On 27th February 2016, Eddy Nigg characterised the relationship as > follows: “StartCom owns its own roots obviously, operates as usual in > Israel. ... We have a long-standing business relationship and > cooperation with WoSign which keeps growing.”[10] > > On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign > incident problem with StartCom, it is two independent company that one > registered in China and one located in Israel.”[11] > > C) Though browsers were already in the process of investigating this > ownership structure due to independent reports, when a former employee > of StartCom attempted to raise broader awareness of these concerns, > StartCom responded with legal threats. Without taking a position on the > validity of any legal action, we do find it worrying that such > disclosure would be met with denials and what appears to be an attempt > to suppress this public information, as it does not engender confidence > or trust. > > Additionally, it is notable that StartCom and WoSign, despite this > relationship, have continued to exercise two votes in the CAB Forum. > Both companies voted on ballots 175, 171, 168, 165, 162, 156 and 153, > all of which were voted on after November 1st 2015. (In no case were > these the deciding votes.) They also provided both endorsers for ballot > 175. By contrast, the CA brands Symantec, Verisign and Thawte together > have a single vote because they are controlled by the same company. This > latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote > per Member company shall be accepted; representatives of corporate > affiliates shall not vote.”[12] > > The purpose of the Mozilla rules on ownership transfer disclosure is to > help maintain public trust through transparency. While definitions can > never be watertight and entirely clear, we feel that this transaction is > not in a grey area, and should have been disclosed. 48 hours ago, we > asked representatives of WoSign and StartCom for their comments on these > findings, asking them to respond by 08:00 UTC today, but we have not yet > had a response on this issue. > > This issue is recorded as "Issue R" on the list of WoSign issues: > https://wiki.mozilla.org/CA:WoSign_Issues > > Gerv > > [0] https://opencorporates.com/companies/hk/2271553 > [1] https://beta.companieshouse.gov.uk/company/09744347 > [2] https://beta.companieshouse.gov.uk/company/09744347/filing-history - > choose "Annual return made up to 24 August 2015 with full list of > shareholders" > [3] https://beta.companieshouse.gov.uk/company/09744347/filing-history - > choose "Incorporation Statement of capital on 2015-08-21" > [4] https://www.icris.cr.gov.hk/csci/ > [5] https://wiki.mozilla.org/images/c/c6/Startcom-hk-details.pdf > [6] https://wiki.mozilla.org/images/a/a7/Startcom-hk-ownership.pdf > [7] https://wiki.mozilla.org/images/c/c1/Startcom-il-owner-list.pdf > [8] https://wiki.mozilla.org/images/d/d8/Startcom-il-director-list.pdf > [9] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ > [10] These statements were made in emails to the Mozilla CA team, in an > email thread questioning the state of the relationship between WoSign > and StartCom in light of the Mozilla ownership transparency policy. > [11] > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ > [12] > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.4.pdf
Also this posting in IETF by Andy https://www.ietf.org/mail-archive/web/acme/current/msg01292.html So at least he is not created just for this forum. Whether it's a pseudonym or not, I'm not sure. But his writing style does resemble that of the StartSSl.com _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
