Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.
Mozilla met last week with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder, to discuss the issues. Following the meeting, WoSign published an incident report in which it announced its decision to make some changes in leadership, operational processes and technology.
Qihoo 360 wants to completely separate WoSign and StartCom, including operations and technology, and has asked browser vendors to judge each company separately. Richard Wang, the WoSign CEO who approved the issuance of backdated certificates, which is considered the most serious problem, has been relieved of his duties.
StartCom will report directly to Qihoo 360 with Xiaosheng Tan appointed as chairman and Inigo Barreira as CEO. In addition, both companies will add all their certificates to Certificate Transparency (CT) logs.
“We completely agree that keep [sic] the global Internet security is very important for all related stakeholders including all CAs,” WoSign wrote in its incident report. “Thank you to Mozilla for its consideration of WoSign and StartCom’s current subscribers’ benefit. We appreciate that. Many customers in China find it important to use a domestic CA for purposes of security.”
The ball is now again in Mozilla’s court. The company has proposed a ban of at least one year for all new WoSign and StartCom certificates after learning of more than a dozen incidents involving the two companies, including the backdating of certificates issued after January 1, 2016.
In late September, Apple announced its intention to release security updates for iOS and OS X that would cause these products to no longer trust certificates issued by the WoSign CA Free SSL Certificate G2 intermediate CA. The company pointed out that WoSign leveraged its relationship with StartCom and Comodo to establish trust, as it does not have any root certificates in Apple’s trust store.
Google and Microsoft have yet to make any comments on this case. The companies, and Google in particular, are usually not very forgiving when it comes to misbehaving CAs.