Menu
Certificate policy violations force reform at StartCom and WoSign

Certificate policy violations force reform at StartCom and WoSign

The two CAs will be separated and their CEO will be replaced

The top management of StartCom and WoSign will be replaced and the two certificate authorities will undergo audits after browser vendors discovered that they mis-issued many digital certificates, violating industry rules.

The investigation launched by Mozilla led to the discovery of 13 instances where China-based WoSign and its subsidiary StartCom issued certificates with various types of problems. Evidence was also found that both CAs issued certificates signed with the SHA-1 algorithm after Jan. 1 in violation of industry rules and intentionally backdated them to avoid being caught.

As a result, Mozilla said that it has lost faith in the ability of WoSign and StartCom to correctly carry out the functions of a CA and announced that it will stop trusting new certificates from the two companies. Apple followed suit and announced its own ban for future WoSign and StartCom certificates last week.

WoSign provided explanations for all of the discovered issues in a detailed response Friday and admitted that it had issued 64 backdated certificates, 42 intentionally. This will cost the WoSign CEO, Richard Wang, his job.

"WoSign acknowledges it made a serious mistake of issuing 64 backdated certificates. It is the responsibility of the WoSign CEO to maintain technical and operational veracity according to CA standards (including no backdating) and there was a failure to do so," WoSign said in its response. "WoSign was contacted by customers requesting SHA-1 and WoSign made a mistake to approve of backdated certificates. During mid 2016, StartCom was contacted by Tyro for a SHA-1 certificate and Richard Wang approved the issuance, which was a mistake."

The company said that the decision to backdate certificates was taken to help desperate customers in China who could no longer obtain SHA-1 certificates and were having trouble supporting the millions of computers in the country that still use Windows XP with Service Pack 2.

Chinese Internet security company Qihoo 360, which owns a majority stake in WoSign and implicitly in StartCom, has stepped in and decided to separate the two CAs.

"360’s Corporate Development team has been notified to execute the process to legally separate Wosign and Startcom and to begin executing personnel reassignments," the company said. "StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer of Qihoo 360). StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom Europe). Richard Wang will be relieved of his duties as CEO of WoSign."

Qihoo 360 noted that StartCom has been operating as a compliant CA for many years and that its only error after being acquired by WoSign was to issue two backdated certificates with Wang's approval.

Because of this the company wants StartCom to be completely separated and to report directly to Qihoo. It also wants browser vendors to consider the repercussions for this incident separately for WoSign and StartCom. The latter is preparing its own response and go-forward plan.

StartCom was founded in 1999 in Israel and has been the first CA to offer free digital certificates. Most of the company's customers are from outside China, unlike WoSign's. A ban on future StartCom certificates would force many organizations in Europe, North America and elsewhere to search for new certificate providers when their existing certificates expire.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments