Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
no edit summary
==Incident R: Purchase of StartCom (Nov 2015)==
WoSign purchased the CA "StartCom" and did not disclose the transaction as a change of ownership, in violation of which may violate section 5 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy]. More details to be provided. ===WoSign Response=== Among other comments: 2016-09-02: [https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ Richard Wang]: "Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel." ===Further Comments=== As well as any issues there may be with the disclosure of the transfer of ownership, the relationship between WoSign and StartCom is also relevant when determining the scope of any sanctions.
==Incident S: Backdated SHA-1 Certs (January 2016)==
|Rob Stradling of Comodo writes: "These two cross-certificates are currently unexpired and unrevoked. However, the 'UTN-USERFirst-Object' root is only enabled for the Code Signing trust bit in NSS. There are 2 cross-certs (currently unconstrained and unrevoked) issued by 'AddTrust External CA Root' to 'UTN-USERFirst-Object'. However, the cross-certs issued to WoSign are EKU-constrained to Code Signing/Time Stamping."
|}
