LLMpediaThe first transparent, open encyclopedia generated by LLMs

WoSign

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: GlobalSign Hop 4
Expansion Funnel Raw 55 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted55
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
WoSign
NameWoSign
TypePrivate
IndustryCertificate Authority
Founded2013
HeadquartersBeijing, China
Key peopleHuang Lin (founder)
ProductsTLS/SSL certificates, code signing certificates

WoSign was a certificate authority that issued X.509 certificates for use in TLS/SSL, code signing, and email authentication. Established in 2013 and headquartered in Beijing, it operated in the digital certificate ecosystem alongside entities such as DigiCert, Let's Encrypt, Symantec, Comodo, and GlobalSign. The company became widely known after multiple security incidents that led to distrust from major browser vendors, including Google, Mozilla, Apple, and Microsoft.

History

WoSign was founded in 2013 during a period of rapid expansion in public key infrastructure alongside firms such as Entrust, Thawte, VeriSign, and GeoTrust. It grew its business by issuing certificates for web servers, software publishers, and email providers, competing with established certificate authorities like GoDaddy and RapidSSL. The firm sought recognition from browser root programs managed by organizations such as the Mozilla Foundation and the Apple Inc. root certificate program, while interacting with standards bodies like the Internet Engineering Task Force and the CA/Browser Forum. As scrutiny of certificate issuance practices increased following incidents involving Symantec and DigiNotar, WoSign also came under examination by vendors and auditors such as KPMG and PricewaterhouseCoopers.

Services and Products

WoSign provided digital certificates and services similar to those of Let's Encrypt and commercial vendors like DigiCert and Comodo CA. Its offerings included Domain Validation (DV), Organization Validation (OV), Extended Validation (EV) TLS/SSL certificates used by websites such as Facebook, Amazon, and Wikipedia (via other CAs), as well as code signing certificates comparable to those issued by Sectigo (formerly Comodo CA). The company also issued S/MIME certificates for secure email used by corporations like Microsoft Corporation and IBM. WoSign integrated with web servers and platforms including Apache HTTP Server, Nginx, Microsoft IIS, and hosting providers like Alibaba Group and Tencent.

Security Incidents and Misissuance

Several incidents involving misissuance and procedural lapses drew attention to WoSign. Reports alleged improper issuance of certificates for domains controlled by entities associated with companies such as GitHub and certificates duplicating intermediate authorities similar to controversies around DigiNotar. Independent researchers from organizations including Google Project Zero and teams linked to Codenomicon and university labs published findings prompting vendor reviews. The issues were considered alongside other high-profile certificate failures involving Symantec and Comodo CA, raising concerns about root program oversight by Mozilla and Apple. Investigations referenced audit standards such as WebTrust and assessments by accounting firms like Ernst & Young.

Regulatory Actions and Distrust

In response to documented problems, major browser vendors and platform vendors implemented distrust measures. Google announced plans that affected certificate recognition in Chrome, while Mozilla took actions in the Firefox root program. Apple coordinated changes impacting iOS and macOS, and Microsoft updated trust stores used by Windows. Certificate revocation and distrust were applied in manners similar to responses in the Symantec incident and historical actions after the DigiNotar compromise. The International Organization for Standardization (ISO) and the CA/Browser Forum influenced policy discussions on audits, and national regulators and industry groups in China and other jurisdictions monitored the fallout.

Technical Practices and Compliance

Technical scrutiny focused on WoSign's issuance practices, key management, and adherence to standards such as RFC 5280 and guidelines from the CA/Browser Forum. Concerns included lack of transparency in certificate issuance logs, prompting discussion of certificate transparency mechanisms pioneered by Google and projects like Certificate Transparency and CRLite. Audits referencing WebTrust criteria, use of auditing firms such as KPMG, and compliance with Baseline Requirements were central to vendor decisions. Technical comparisons were drawn with automated issuance systems like ACME used by Let's Encrypt and with hardware security module practices employed by entities like Entrust.

Impact and Legacy

The WoSign events contributed to broader reforms in the public key infrastructure landscape, reinforcing moves toward transparency, automated auditing, and stricter root program policies enforced by Mozilla Foundation, Google LLC, Apple Inc., and Microsoft Corporation. The incidents accelerated adoption of Certificate Transparency, promoted alternatives such as Let's Encrypt, and influenced governance discussions at the CA/Browser Forum and standards efforts at the Internet Engineering Task Force. The legacy includes heightened scrutiny of certificate authorities, changes to audit practices by firms like Ernst & Young and KPMG, and further development of trust mechanisms affecting web platforms including Chrome, Firefox, Safari, and Edge.

Category:Certificate authorities