On Fri, 7 Oct 2016 12:12:58 +0100 Gervase Markham <[email protected]> wrote:
> * WoSign and StartCom are to be legally separated, with the corporate > structure changed such that Qihoo 360 owns them both individually, > rather than WoSign owning StartCom. > > * There will be personnel changes: > > - StartCom___s chairman will be Xiaosheng Tan (Chief Security Officer > of Qihoo 360). > - StartCom___s CEO will be Inigo Barreira (formerly GM of StartCom > Europe). > - Richard Wang will be relieved of his duties as CEO of WoSign and > other responsibilities. It is not decided who will replace him. > > * StartCom will soon provide a plan on how they will separate their > operations and technology from that of WoSign. > > * In the light of these changes, Qihoo 360 request that WoSign and > StartCom be considered separately. > > Mozilla is minded to agree that it is reasonable to at least consider > the two companies separately Consider the following hypothetical: Honest Achmed's Used Cars and Certificates operates two roots, Honest Achmed Root A and Honest Achmed Root B. The two roots share much of the same infrastructure, and over the same period of time, both roots have serious incidents, including Honest Achmed himself approving the backdating of SHA-1 certificates under both roots. After the incidents come to light, Honest Achmed's majority owner, Uncle Mehmet, fires Honest Achmed and places Root A and Root B under the control of two separate companies. He asks that Mozilla consider the fate of Root A and Root B separately. That seems like a very unreasonable request to me - a mismanaged CA shouldn't be able to save some of their roots by spinning them off into a separate company after they're caught. How is WoSign/StartCom different? It doesn't matter that at one point in the past WoSign and StartCom were separate companies. During the time that the incidents occurred, StartCom and WoSign were for all intents and purposes the same company, one wholly owned by the other, both managed by the same disgraced CEO, and sharing significant infrastructure. They should therefore be treated as the same company when responding to these incidents. Any restructuring and personnel changes at this point could influence Mozilla's future consideration of StartCom and WoSign (e.g. during root inclusion requests) but it cannot change the past and therefore should not alter how Mozilla responds to what happened in the past. Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
