WoSign’s CEO Richard Wang to Step Down Following Mis-Issuance.
Last week, Mozilla met with representatives from WoSign and StartCom to discuss their mis-issuances and violations of industry standards, including intentional circumvention of standards set by the Certificate Authority & Browser Forum (CA/B Forum) which all CA’s abide by to remain “trusted” issuers of SSL certificates.
The meeting marked yet another stage in what has been a long investigation intoviolations by both CAs. QiHoo 360, a major Chinese security firm, that owns both CAs, also attended.
Afterward, QiHoo 360 issued an updated incident report and proposal for fixing the issues at both CAs.
WoSign is now admitting that it back-dated 64 certificates and signed them with the now-outmoded SHA-1 hashing algorithm. Some of these – most notably certificates for the Australian payment processor Tyro.com – were intentionally back-dated with approval from Richard Wang, WoSign’s CEO.
As a result, Richard Wang will be replaced as the CEO of WoSign, a position he held for 14 years according to LinkedIn. His replacement has not yet been named.
In addition, StartCom will be legally separated from WoSign—both CAs will now be individually owned by QiHoo 360. It may seem as though this is just a detail for the corporate lawyers to worry about, but the operation of a CA is material to discussions of mis-issuance and sanctions.
Currently, there is ongoing debate on Mozilla’s Security Policy mailing list about whether WoSign and StartCom should be punished separately, or as one entity.
There is no debate about whether WoSign is guilty of serious misconduct. Under the leadership of Richard Wang, WoSign was mis-managed, intentionally back-dated certificates, and put extremely flawed software into production.
Two of the most serious violations – the failures of the StartEncrypt software – which improperly implemented domain validation, allowing anyone to get certificates for certain sites – and the Tyro.com certificate technically committed by StartCom, under their name and root certificates.
But, is StartCom equally guilty?
Both those violations occurred under the leadership – and with the approval – of WoSign and Richard Wang.
Are these violations an extension of WoSign’s problems? Or is StartCom on the hook, regardless of who was operating the company at that time? If the two CAs are separated again, is there any reason to believe that StartCom will continue to be a threat to the Web PKI ecosystem?
In its report, QiHoo 360 wrote, “StartCom has been operating as a compliant, separate CA for many years and the only noted issue with StartCom (two backdated certificates issued in July 2016) was an action approved by WoSign CEO Richard Wang.”
Inigo Barreira (who worked for the Spanish CA Izenpe and recently joined StartCom) will become StartCom’s new CEO.
In addition to the new leadership, StartCom’s issuance systems will also be separated from WoSign’s. Mozilla has pointed to the unified software and issuance practices of WoSign and StartCom as evidence that the two CAs were virtually identical and should be treated as such.
There is good reason to believe that restoring StartCom’s independence and new leadership could sort out the CAs problems. But those arguing for equal punishment of both WoSign and StartCom are concerned about letting CAs off too lightly for major policy violations, and do not want to encourage companies that own multiple CAs to play complicated games with their legal registration and organizational structure to reduce risk in the event of violations.
QiHoo 360 would prefer sanctions against WoSign and Startcom to be “considered separately.” It is hoping to show the industry that by recognizing and separating the two CAs, they are committed to fixing the problems that have beset both companies.
Mozilla has said it will “consider” treating the two companies separately, although, “that does not preclude the possibility that [it] might decide to take the same action for both of them.”
Apple’s Root Program, which is rarely active in public debate, has already taken action and has spared StartCom (for now). The other major root programs – Google and Microsoft – are still undecided.