On Monday, September 19, 2016, Richard Wang <[email protected]> wrote:
> Thanks for your pointing out one of the very important evidence for the > transaction is NOT completed till yesterday that we released the news after > it is finished at the first phase. We just finished the UK company > investment. > > For Qihoo 360, I don't know anything and I don’t have the right to do any > comment. Sorry. Considering that StartCom is hosted by Qihoo 360 https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html and that you're the sole director of StartCom, it's hard for me to believe that you "don't know anything" about Qihoo 360. > > Best Regards, > > Richard > > -----Original Message----- > From: Peter Bowen [mailto:[email protected] <javascript:;>] > Sent: Tuesday, September 20, 2016 10:18 AM > To: Richard Wang <[email protected] <javascript:;>> > Cc: Nick Lamb <[email protected] <javascript:;>>; > [email protected] <javascript:;> > Subject: Re: Incidents involving the CA WoSign > > Richard, > > As someone pointed out on Twitter this morning, it seems that the PSC > notification for Startcom UK was filed recently: > https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/ > UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf > Were you unaware of this filing? > > Additionally, companies that register to trade on the New York Stock > Exchange have to file reports with the US Security and Exchange > Commission. Qihoo 360 filed a report that included a list of their > variable interest entities and Qihoo's percent of economic interest in each > (https://www.sec.gov/Archives/edgar/data/1508913/ > 000114420413022823/v341745_20f.htm > page F-10). It also describes all the ways in which Qihoo 360 controls > these entities, including assuring that Qihoo has decision making authority > over the entities. > > I agree that Mozilla does not require reporting that multiple Root CAs are > Affiliates. Perhaps it should. However, as you know, the CA/Browser Forum > does require such. So I don't think it would be a stretch for Mozilla to > do so. It is something that should probably be added to the 2.3 policy > discussion. > > Thanks, > Peter > > > On Mon, Sep 19, 2016 at 6:51 PM, Richard Wang <[email protected] > <javascript:;>> wrote: > > Thanks for your detail info. > > No worry about this, all companies must be complied with local law. > > > > But I really don't care who is my company's shareholder's shareholder's > shareholder, you need to find out this by yourself if you care. > > > > If you think Mozilla must require this, please add to the Mozilla policy > that require all CA disclose its nine generation including all subordinate > companies and all parent companies. > > > > > > Best Regards, > > > > Richard > > > > -----Original Message----- > > From: dev-security-policy > > [mailto:dev-security-policy-bounces+richard <javascript:;> > [email protected] > > rg] On Behalf Of Nick Lamb > > Sent: Tuesday, September 20, 2016 9:06 AM > > To: [email protected] <javascript:;> > > Subject: Re: Incidents involving the CA WoSign > > > > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > >> This case is WoSign problem, you found out all related subordinate > companies and all related parent companies that up to nine generations! I > think this is NOT the best practice in the modern law-respect society. > > > > It seems the governments of the European Union countries (including the > UK where one of the mentioned companies is located) disagree with you about > whether this is best practice. > > > > Identifying individual human persons behind a company is a key plank of > their anti-money laundering and anti-tax evasion policies. To identify > these human persons it is necessary to look through any number (even more > than nine) of layers of corporate ownership. In the UK the legal term is > Persons with Significant Control and PSC registration is mandatory since > this summer, a company registered in the UK is obliged to figure out if > there are such Persons and if so list them in its routine filings. Failing > to properly investigate, or concealing the truth about control of the > company is punishable by forfeiture, ie the state would seize the company's > assets. > -- _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
