WoSign purchased the CA "StartCom" and did not disclose the transaction as a change of ownership, in violation of which may violate section 5 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy]. More details to be provided.===WoSign Response===Among other comments:2016-09-02: [https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ Richard Wang]: "Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel."===Further Comments===As well as any issues there may be with the disclosure of the transfer of ownership, the relationship between WoSign and StartCom is also relevant when determining the scope of any sanctions.
|Rob Stradling of Comodo writes: "These two cross-certificates are currently unexpired and unrevoked. However, the 'UTN-USERFirst-Object' root is only enabled for the Code Signing trust bit in NSS. There are 2 cross-certs (currently unconstrained and unrevoked) issued by 'AddTrust External CA Root' to 'UTN-USERFirst-Object'. However, the cross-certs issued to WoSign are EKU-constrained to Code Signing/Time Stamping."
|}
==Other Points of Note==
* While not a violation of any Mozilla policy, WoSign has promised to log all certs to CT after a certain date, and yet has not yet managed to comply with the Chrome CT policy of logging to at least one Google and one non-Google log. Arguably, this speaks to competence.