As someone pointed out on Twitter this morning, it seems that the PSC
notification for Startcom UK was filed recently:
 Were you unaware of this filing?

Additionally, companies that register to trade on the New York Stock
Exchange have to file reports with the US Security and Exchange
Commission.  Qihoo 360 filed a report that included a list of their
variable interest entities and Qihoo's percent of economic interest in
page F-10).  It also describes all the ways in which Qihoo 360
controls these entities, including assuring that Qihoo has decision
making authority over the entities.

I agree that Mozilla does not require reporting that multiple Root CAs
are Affiliates.  Perhaps it should.  However, as you know, the
CA/Browser Forum does require such.  So I don't think it would be a
stretch for Mozilla to do so.  It is something that should probably be
added to the 2.3 policy discussion.


On Mon, Sep 19, 2016 at 6:51 PM, Richard Wang <> wrote:
> Thanks for your detail info.
> No worry about this, all companies must be complied with local law.
> But I really don't care who is my company's shareholder's shareholder's 
> shareholder, you need to find out this by yourself if you care.
> If you think Mozilla must require this, please add to the Mozilla policy that 
> require all CA disclose its nine generation including all subordinate 
> companies and all parent companies.
> Best Regards,
> Richard
> -----Original Message-----
> From: dev-security-policy 
> [] On 
> Behalf Of Nick Lamb
> Sent: Tuesday, September 20, 2016 9:06 AM
> To:
> Subject: Re: Incidents involving the CA WoSign
> On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang  wrote:
>> This case is WoSign problem, you found out all related subordinate companies 
>> and all related parent companies that up to nine generations! I think this 
>> is NOT the best practice in the modern law-respect society.
> It seems the governments of the European Union countries (including the UK 
> where one of the mentioned companies is located) disagree with you about 
> whether this is best practice.
> Identifying individual human persons behind a company is a key plank of their 
> anti-money laundering and anti-tax evasion policies. To identify these human 
> persons it is necessary to look through any number (even more than nine) of 
> layers of corporate ownership. In the UK the legal term is Persons with 
> Significant Control and PSC registration is mandatory since this summer, a 
> company registered in the UK is obliged to figure out if there are such 
> Persons and if so list them in its routine filings. Failing to properly 
> investigate, or concealing the truth about control of the company is 
> punishable by forfeiture, ie the state would seize the company's assets.
dev-security-policy mailing list

Reply via email to