WoSign’s Ownership of StartCom

[Gervase Markham]

Dear m.d.s.policy,

We have been actively investigating reports that WoSign and StartCom may
have failed to comply with our policy on change of control notification.
Below is a summary representing the best of our knowledge and belief,
based on our findings and investigation to date.

The operations of the CA known as StartCom have historically been owned
and controlled by an Israeli company, number 513747303, called "סטארט
קומארשל בע”מ", or in English "Start Commercial Ltd". This company will
be referred to in this document as "StartCom IL". It has normally been
represented in public and the CAB Forum by its COO/CTO, Eddy Nigg.

On August 5th, 2015 a new company, "StartCom CA Ltd", was created in
Hong Kong.[0] This company will be referred to in this document as
"StartCom HK".

On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
created in the UK.[1] This company will be referred to in this document
as "StartCom UK".

100% of the shares of “StartCom CA Ltd” in the UK are listed as being
owned by "StartCom CA Ltd".[2] This seems circular, but our
understanding is it actually refers to StartCom HK, which has the same
name. StartCom UK is documented as having two directors. One is Gaohua
(Richard) Wang, who will be known to you all as he represents WoSign in
this forum and at the CAB Forum. The other, appointed last month, is
Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.

StartCom HK's 100% ownership appears to give it total control over
StartCom UK, including the ability to hire and fire directors at will,
due to a special clause (#73) in the company formation documents.[3]

StartCom HK's Company Registration Number (CRN) is 2271553, which can be
looked up at the Cyber Search Centre of the Integrated Companies
Registry Information System[4] in Hong Kong. There is a requirement for
registration and a small payment, but the relevant documents have been
provided by Mozilla. These documents show that:

* StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]

* StartCom HK’s documents appear to show it is 100% owned (10,000
shares) by “WoSign CA Limited”.[6]

We understand that on or around the 1st of November 2015, ownership of
all of the shares in StartCom IL was transferred from 15 different
shareholders (including the majority shareholder, named Revital Nigg) to
the recently-formed StartCom UK.[7] At around the same time, Gaohua
(Richard) Wang became the sole director of StartCom IL.[8] Details of
these changes can be looked up at the appropriate Israeli governmental
department. They require a payment, but are public records, and the
relevant documents have been provided by Mozilla.

So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).

It is important to note that there is nothing confidential about any of
the above and none of what is described is illegal. Company ownership
information in these jurisdictions is public information. CAs have been
bought and sold in the past. However, the following aspects of the
situation are problematic:

A) Mozilla's CA policy has a requirement that:

"We require that all CAs whose certificates are distributed with our
software products notify us... when the ownership control of the CA’s
certificate(s) changes, or when ownership control of the CA’s operations
changes."[9]

It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.

B) When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.

On 23rd February 2016, Richard Wang wrote: “no ‘Change in legal
ownership’ in StartCom.”[10]

On 24th February 2016, Richard Wang wrote: “[StartCom UK] is one of the
shareholder of [StartCom IL].”[10]

On 27th February 2016, Eddy Nigg characterised the relationship as
follows: “StartCom owns its own roots obviously, operates as usual in
Israel. ... We have a long-standing business relationship and
cooperation with WoSign which keeps growing.”[10]

On 2nd September 2016, Richard Wang wrote: “Please don't bind WoSign
incident problem with StartCom, it is two independent company that one
registered in China and one located in Israel.”[11]

C) Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
or trust.

Additionally, it is notable that StartCom and WoSign, despite this
relationship, have continued to exercise two votes in the CAB Forum.
Both companies voted on ballots 175, 171, 168, 165, 162, 156 and 153,
all of which were voted on after November 1st 2015. (In no case were
these the deciding votes.) They also provided both endorsers for ballot
175. By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”[12]

The purpose of the Mozilla rules on ownership transfer disclosure is to
help maintain public trust through transparency. While definitions can
never be watertight and entirely clear, we feel that this transaction is
not in a grey area, and should have been disclosed. 48 hours ago, we
asked representatives of WoSign and StartCom for their comments on these
findings, asking them to respond by 08:00 UTC today, but we have not yet
had a response on this issue.

This issue is recorded as "Issue R" on the list of WoSign issues:
https://wiki.mozilla.org/CA:WoSign_Issues

Gerv

[0] https://opencorporates.com/companies/hk/2271553
[1] https://beta.companieshouse.gov.uk/company/09744347
[2] https://beta.companieshouse.gov.uk/company/09744347/filing-history -
choose "Annual return made up to 24 August 2015 with full list of
shareholders"
[3] https://beta.companieshouse.gov.uk/company/09744347/filing-history -
choose "Incorporation Statement of capital on 2015-08-21"
[4] https://www.icris.cr.gov.hk/csci/
[5] https://wiki.mozilla.org/images/c/c6/Startcom-hk-details.pdf
[6] https://wiki.mozilla.org/images/a/a7/Startcom-hk-ownership.pdf
[7] https://wiki.mozilla.org/images/c/c1/Startcom-il-owner-list.pdf
[8] https://wiki.mozilla.org/images/d/d8/Startcom-il-director-list.pdf
[9]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
[10] These statements were made in emails to the Mozilla CA team, in an
email thread questioning the state of the relationship between WoSign
and StartCom in light of the Mozilla ownership transparency policy.
[11]
https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ
[12]
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.4.pdf

[Vincent Lynch]

at 6:10 AM EST (24 minutes after Gervase's post), WoSign's CEO Richard Wang responded to this topic. However, it has not entered the Google Groups archive. I am posting his response below for completeness, so that his post can be part of the archive and not just the email thread:

------------

from: Richard Wang <ric...@wosign.com> via lists.mozilla.org
to: Gervase Markham <ge...@mozilla.org>
cc: "mozilla-dev-s...@lists.mozilla.org" <mozilla-dev-s...@lists.mozilla.org>
date: Fri, Sep 9, 2016 at 6:10 AM

Hi all,

An announcement and disclosure will be made shortly pending completion of the business transaction.
We can provide the proof documents to Mozilla to show this transaction is not finished if Mozilla think it is necessary.


Regards,

Richard

[Peter Kurrasch]

Thank you, Gerv and the Mozilla CA Team, for researching and compiling this information and raising awareness with the forum. I have been thinking about this ownership item in the Mozilla policy but had not put anything together myself (and you've certainly been more thorough!).

I think it's abundantly clear that the CA we used to call simply StartCom is no more and that the ‎relationship is intertwined with WoSign to the point that one can not identify any meaningful separation between the two. That is, aside from legal documents in multiple jurisdictions I'm not sure how anyone might argue that the two CA's are independent in a way that is meaningful to people in this forum or to citizens of the Internet at large. I think Peter G's name of WoStartSignCom is actually quite apt.

Indeed it will be interesting to read Richard's response, fully recognizing that he chose not to reply to Mozilla's request ‎within a fair amount of time. The fact that Eddy is not also responding is, perhaps, all the information we need given what his level of involvement in this forum has been in years past. If Richard is already exercising control over Eddy's involvement here, the claim of independence between the two CA's is that much more specious. 

I would also ask for confirmation that "Andy Ligg" is in fact a real person and not a pseudonym adopted by Richard or someone else. The similarity to Eddy's name is...remarkable. I think it's clear that Andy does not live in Bristol but it's unclear what his role is within StartCom. My concern is that people are using pseudonyms but I'm happy for someone to prove me wrong.

This may be a distraction (though it seems relevant?) I found this in the Chromium tracker. It's the request for StartCom's CT log inclusion. It has Eddy's and Andy's name but a phone number in Los Angeles. It seems noteworthy that the request was modified to add the WoSign certs as well as StartCom. Here's the link:

    ‎https://bugs.chromium.org/p/chromium/issues/detail?id=611672

‎In any event, I think we're on the verge of discussing sanctions to consider against StartCom for persistent failure to comply with Mozilla root inclusion policies.

Thanks again for putting this together!

‎

From: Gervase Markham Sent: Friday, September 9, 2016 4:49 AM To: mozilla-dev-s...@lists.mozilla.org Subject: WoSign’s Ownership of StartCom

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Matt Palmer]

Hi Gerv,

On Fri, Sep 09, 2016 at 10:48:26AM +0100, Gervase Markham wrote:
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
> based on our findings and investigation to date.

Thanks for this exhaustive and well-written summary of the investigation.

Unless there's some contrary evidence presented by representatives of
StartCom and/or WoSign, it seems that StartCom is a fully-controlled
subsidiary of WoSign, and it should be treated as such. Any sanctions
applied to WoSign-branded roots should thus be similarly applied to
StartCom-branded roots.

- Matt

[Peter Gutmann]

Peter Kurrasch <fhw...@gmail.com> writes:

>I would also ask for confirmation that "Andy Ligg" is in fact a real person
>and not a pseudonym adopted by Richard or someone else. The similarity to
>Eddy's name is...remarkable.

Andy Ligg? The only similar name I saw in Gerv's post was Revital Nigg, who
I'm guessing is Eddy's wife/partner who has a majority holding for legal or
business purposes, which would be perfectly reasonable.

Peter.

[Gervase Markham]

On 09/09/16 16:01, Peter Kurrasch wrote:
> Indeed it will be interesting to read Richard's response, fully
> recognizing that he chose not to reply to Mozilla's request ‎within a
> fair amount of time. The fact that Eddy is not also responding is,
> perhaps, all the information we need given what his level of involvement
> in this forum has been in years past.

To be fair to Eddy, he's currently on holiday. Although I did suggest to
him he might need to take emailing equipment with him :-)

Gerv

[Gervase Markham]

On 10/09/16 09:23, Percy wrote:
> I found the following info about Andy Ligg.

Percy, this is verging on doxxing. Please can you leave the
investigating of companies and people to the Mozilla CA team? If you
have further observations about StartCom or WoSign's certificate corpus,
those would be welcome.

Thanks :-)

Gerv

[Han Yuwei]

在 2016年9月9日星期五 UTC+8下午5:49:07，Gervase Markham写道：

Will this affect Mozilla's trust towards to StartCom?