I have just read through the mailing list thread referenced in the article, and with the important caveat that I am not an expert in this space, it seems that WoSign has failed to comply with the basic requirements a CA has to meet to be trusted by the major browsers. And compounding these failures, Richard Wang (apparently the managing director of WoSign) either doesn't grasp, or is intentionally trying to minimise the severity of the failures. Compounding the situation more, it seems that WoSign may have acquired StartCom. If true, this seems to be a much larger story, because of the (probable but not yet proven) concern that any failures WoSign is exhibiting, StartCom will exhibit too. Also Richard Wang seems to want to keep the nature of the relationship between WoSign and StartCom as vague and secret as possible. This is concerning because, in the case of CAs in particular, if they haven't done anything wrong, why are they trying to hide it?The other thing I didn't realise until I read the thread is that this situation seems to be currently unfolding - there are posts on the thread from Richard Wang dated September 2nd.
No comments yet.