I agree that it probably is not worth dwelling on the "Andy Ligg question" in particular but I think there is a broader issue at play which is worth addressing: deception.
I think there is ample evidence that WoSign engaged in a deliberate, persistent, and extensive campaign of deception committed against many different parties within the PKI ecosystem. In some cases the deception was committed by Richard Wang himself while in other cases it's less clear if the perpetrator was Richard or someone under his supervision. I'd like to see something included in the summary report, although I'm the first to admit I don't know how best to do that. It seems to me the level of deceptive activity here falls well outside the norm of something more innocent, like being coy to protect a company's proprietary information. I don't think we've seen anything like this from other CA representatives in this forum. If someone reads the report without having also participated in these discussions it's possible that he or she will not appreciate the difficulty we've had at times in getting at the truth of what has transpired. In fact, I think we continue to struggle to understand the extent of damage committed precisely because of the deception. Again, I'm not sure the best way to capture this whole idea but I think it's something that should not be left unsaid. Original Message From: Gervase Markham Sent: Monday, October 10, 2016 5:45 AM To: i...@matthijsmelissen.nl; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign: updated report and discussion I don't believe this aspect of things is worth spending time on. However: On 10/10/16 09:44, i...@matthijsmelissen.nl wrote: > On Saturday, October 8, 2016 at 8:18:09 AM UTC+2, uri...@gmail.com > wrote: >> Did anyone ever determine if "Andy Ligg" is in fact a real person? >> (As discussed here >> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/0pqpLJ_lCJQ/7QRQ7oqGDwAJ >> ) > > I believe Andy Ligg is a pseudonym of Richard Wang. > > Have a look at this Bugzilla thread: > https://bugzilla.mozilla.org/show_bug.cgi?id=851435 At 2015-03-12 > 08:43:09, some information related to Wosign is posted on behalf of > Andy Li. This Bugzilla account was created in November 2014, presumably in order to file this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1106390 The email address associated with it, as anyone with a Bugzilla account can see, is wosign at outlook dot com. Therefore, the Andy Li in Bugzilla (not the same name as Andy Ligg, of course) claims to be connected to WoSign, and was so long before they acquired StartCom. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
