Dear m.d.s.policy,
We have been actively investigating reports that WoSign and StartCom may
have failed to comply with our policy on change of control notification.
Below is a summary representing the best of our knowledge and belief,
based on our findings and investigation to date.
The operations of the CA known as StartCom have historically been owned
and controlled by an Israeli company, number 513747303, called "סטארט
קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
be referred to in this document as "StartCom IL". It has normally been
represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.
On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
Hong Kong.[0] This company will be referred to in this document as
"StartCom HK".
On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
created in the UK.[1] This company will be referred to in this document
as "StartCom UK".
100% of the shares of “StartCom CA Ltd” in the UK are listed as being
owned by "StartCom CA Ltd".[2] This seems circular, but our
understanding is it actually refers to StartCom HK, which has the same
name. StartCom UK is documented as having two directors. One is Gaohua
(Richard) Wang, who will be known to you all as he represents WoSign in
this forum and at the CAB Forum. The other, appointed last month, is
Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.
StartCom HK's 100% ownership appears to give it total control over
StartCom UK, including the ability to hire and fire directors at will,
due to a special clause (#73) in the company formation documents.[3]
StartCom HK's Company Registration Number (CRN) is 2271553, which can be
looked up at the Cyber Search Centre of the Integrated Companies
Registry Information System[4] in Hong Kong. There is a requirement for
registration and a small payment, but the relevant documents have been
provided by Mozilla. These documents show that:
* StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]
* StartCom HK’s documents appear to show it is 100% owned (10,000
shares) by “WoSign CA Limited”.[6]
We understand that on or around the 1st of November 2015, ownership of
all of the shares in StartCom IL was transferred from 15 different
shareholders (including the majority shareholder, named Revital Nigg) to
the recently-formed StartCom UK.[7] At around the same time, Gaohua
(Richard) Wang became the sole director of StartCom IL.[8] Details of
these changes can be looked up at the appropriate Israeli governmental
department. They require a payment, but are public records, and the
relevant documents have been provided by Mozilla.
So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).
It is important to note that there is nothing confidential about any of
the above and none of what is described is illegal. Company ownership
information in these jurisdictions is public information. CAs have been
bought and sold in the past. However, the following aspects of the
situation are problematic:
A) Mozilla's CA policy has a requirement that:
"We require that all CAs whose certificates are distributed with our
software products notify us... when the ownership control of the CA’s
certificate(s) changes, or when ownership control of the CA’s operations
changes."[9]
It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.
B) When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.
On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
ownership’ in StartCom.”[10]
On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
shareholder of [StartCom IL].”[10]
On 27th February 2016, Eddy Nigg characterised the relationship as
follows: “StartCom owns its own roots obviously, operates as usual in
Israel. ... We have a long-standing business relationship and
cooperation with WoSign which keeps growing.”[10]
On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign
incident problem with StartCom, it is two independent company that one
registered in China and one located in Israel.”[11]
C) Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
or trust.
Additionally, it is notable that StartCom and WoSign, despite this
relationship, have continued to exercise two votes in the CAB Forum.
Both companies voted on ballots 175, 171, 168, 165, 162, 156 and 153,
all of which were voted on after November 1st 2015. (In no case were
these the deciding votes.) They also provided both endorsers for ballot
175. By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”[12]
The purpose of the Mozilla rules on ownership transfer disclosure is to
help maintain public trust through transparency. While definitions can
never be watertight and entirely clear, we feel that this transaction is
not in a grey area, and should have been disclosed. 48 hours ago, we
asked representatives of WoSign and StartCom for their comments on these
findings, asking them to respond by 08:00 UTC today, but we have not yet
had a response on this issue.
This issue is recorded as "Issue R" on the list of WoSign issues:
https://wiki.mozilla.org/CA:WoSign_Issues
Gerv
[0]
https://opencorporates.com/companies/hk/2271553
[1]
https://beta.companieshouse.gov.uk/company/09744347
[2]
https://beta.companieshouse.gov.uk/company/09744347/filing-history -
choose "Annual return made up to 24 August 2015 with full list of
shareholders"
[3]
https://beta.companieshouse.gov.uk/company/09744347/filing-history -
choose "Incorporation Statement of capital on 2015-08-21"
[4]
https://www.icris.cr.gov.hk/csci/
[5]
https://wiki.mozilla.org/images/c/c6/Startcom-hk-details.pdf
[6]
https://wiki.mozilla.org/images/a/a7/Startcom-hk-ownership.pdf
[7]
https://wiki.mozilla.org/images/c/c1/Startcom-il-owner-list.pdf
[8]
https://wiki.mozilla.org/images/d/d8/Startcom-il-director-list.pdf
[9]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
[10] These statements were made in emails to the Mozilla CA team, in an
email thread questioning the state of the relationship between WoSign
and StartCom in light of the Mozilla ownership transparency policy.
[11]
https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ
[12]
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.4.pdf