* The question of why StartCom was able to trigger certificate-issuance code which WoSign has stopped developing and maintaining is also still open.
==Issue X: Unpatched Software (September 2016)==
The WoSign [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf report], produced in response to other issues raised, has a screenshot of a dig query from their validation server. The dig program is part of the bind-utils package, and the output of dig appears to show a bind-utils version of 9.7.3-8.P3.el6. The "el6" shows that this is a version built for Red Hat Enterprise Linux 6. This version of bind-utils was released in [https://rhn.redhat.com/errata/RHBA-2011-1697.html December 2011] and so is very out of date.
The next release of this package for EL6 following the one WoSign are using is bind-utils 9.7.3-8.P3.el6_2.1, which was released [https://rhn.redhat.com/errata/RHBA-2011-1836.html a little later in December 2011]. The most recent version is 9.8.2-0.47.rc1.el6, which was released on the [https://rhn.redhat.com/errata/RHBA-2016-0784.html 10th of May 2016].
There are 19 patched CVEs between the version WoSign is running and the current version. None of these CVEs are especially severe. However, if this software is in fact that far out of date (nearly five years), it raises questions about the overall patch level of their verification server and even their other infrastructure.
WoSign's [https://cert.webtrust.org/SealFile?seal=2019&file=pdf most recent audit] used the "[http://www.webtrust.org/homepage-documents/item79806.pdf SSL Baseline With Network Security - Version 2.0]" criteria. These criteria integrate two CA/Browser Forum Documents - the SSL BRs and the Network & Certificate Systems Security Requirements.
A bullet on page 19 of the Network Security Requirements requires that "Recommended security patches are applied to Certificate Systems within six months of the security patch’s availability, unless the CA documents that the security patch would introduce additional vulnerabilities or instabilities that outweigh the benefits of applying the security patch." That appears not to be true of their version of bind, and so may well not be true of other more critical packages on their systems.
We would expect the presence of badly outdated software and the lack of an appropriate patching regime to have been caught by WoSign's auditors.
Thanks to Paul Pearce for his help with this issue.
==Cross Signing==