Did anyone ever determine if "Andy Ligg" is in fact a real person? (As discussed here https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/0pqpLJ_lCJQ/7QRQ7oqGDwAJ )
If he in fact was a pseudonym for a WoSign employee, then arguably there was no distinction between WoSign and StartCom. (And of course the issue that no-one from StartCom objected to a pseudonym being used to represent them.) On Friday, October 7, 2016 at 3:41:38 PM UTC-4, Jakob Bohm wrote: > On 07/10/2016 19:25, Andrew Ayer wrote: > > On Fri, 7 Oct 2016 12:12:58 +0100 > > Gervase Markham <[email protected]> wrote: > > > >> * WoSign and StartCom are to be legally separated, with the corporate > >> structure changed such that Qihoo 360 owns them both individually, > >> rather than WoSign owning StartCom. > >> > >> * There will be personnel changes: > >> > >> - StartCom___s chairman will be Xiaosheng Tan (Chief Security Officer > >> of Qihoo 360). > >> - StartCom___s CEO will be Inigo Barreira (formerly GM of StartCom > >> Europe). > >> - Richard Wang will be relieved of his duties as CEO of WoSign and > >> other responsibilities. It is not decided who will replace him. > >> > >> * StartCom will soon provide a plan on how they will separate their > >> operations and technology from that of WoSign. > >> > >> * In the light of these changes, Qihoo 360 request that WoSign and > >> StartCom be considered separately. > >> > >> Mozilla is minded to agree that it is reasonable to at least consider > >> the two companies separately > > > > Consider the following hypothetical: Honest Achmed's Used Cars and > > Certificates operates two roots, Honest Achmed Root A and Honest Achmed > > Root B. The two roots share much of the same infrastructure, and over > > the same period of time, both roots have serious incidents, including > > Honest Achmed himself approving the backdating of SHA-1 certificates > > under both roots. > > > > After the incidents come to light, Honest Achmed's majority owner, > > Uncle Mehmet, fires Honest Achmed and places Root A and Root B under > > the control of two separate companies. He asks that Mozilla consider > > the fate of Root A and Root B separately. > > > > That seems like a very unreasonable request to me - a mismanaged CA > > shouldn't be able to save some of their roots by spinning them off into > > a separate company after they're caught. How is WoSign/StartCom > > different? It doesn't matter that at one point in the past WoSign and > > StartCom were separate companies. During the time that the incidents > > occurred, StartCom and WoSign were for all intents and purposes the > > same company, one wholly owned by the other, both managed by the same > > disgraced CEO, and sharing significant infrastructure. They should > > therefore be treated as the same company when responding to these > > incidents. > > > > Any restructuring and personnel changes at this point could influence > > Mozilla's future consideration of StartCom and WoSign (e.g. during root > > inclusion requests) but it cannot change the past and therefore should > > not alter how Mozilla responds to what happened in the past. > > > > I would say that it is only natural that when Mozilla or other root > programs act a bit like an enforcement court that it is reasonable that > the root programs consider the same kinds of "soft" circumstances that > a regular court would consider when measuring out punishments. > > While it is probably too late at this hour (it is already Saturday in > China, it is already Sabbath in Israel (sunset), and it is late Friday > night on the British isles), some things that could potentially be > added to increase the justification of treating a reborn B better than > A might be (I have absolutely no decision power in this, just arguing > in general): > > - Something that involves a significant economic cost to Uncle Mehmet, > thus providing a strong economic disincentive to other CA owners that > might want to participate in a race to the bottom. Each of the > following suggestions would involve at least some such cost. > > - Removing ownership of B from the organization that owned it during > its bad year, just in case someone higher up was complicit in ways > other than trusting Nephew Honest Achmed. For example this could > involve selling B at a significant loss. > > - A promise that the new / rebooted leaders of B will before a > specified date, and at B's or Mehmet's cost go through the > records from when they first started talking to Achmed until the > reform, looking for mis-issued certificates and/or any way in which > Achmed could have issued certificates not on their records (for > example, was Achmed or his minions given access to the private key or > to some other way of signing certificates outside the control of the > HSM? Did the HSM ever stop counting issued certificates such that the > number of issued certificates is no longer provable? Did the HSM ever > issue certificates that can neither be found nor revoked due to > unknown serial number for example?). > > - A promise that before another specified date, an outside auditor > chosen by noone from the A/B/M family will do the same checks as > above, and be paid a specified fee for doing so. > > - A promise that new B roots will be spun up and all genuine > certificates reissued at B's or Mehmet's cost before a specified date, > such that 1 month after that date, all the old B roots can be > distrusted. > > - A condition that B issues no certificates for the next 15 months, > maintaining a perfect record of functional revocation services during > that time, only then being allowed to reenter with new root keys. > This may or may not be combined with permission to let another > (independent, well-established) CA to run the B brand as seen by > subscribers, with all vetting and security handled by that independent > CA, but with a contractual condition that said independent CA is not > allowed to actively steal customers over to its own brand unless B > closes permanently or is refused reentry to the root programs. Thus B > would loose 15 months of income while keeping up significant > operational costs just for the hope of maybe getting readmitted. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
