On Monday, September 19, 2016, Richard Wang <rich...@wosign.com> wrote:

> Thanks for your pointing out one of the very important evidence for the
> transaction is NOT completed till yesterday that we released the news after
> it is finished at the first phase. We just finished the UK company
> investment.
>
> For Qihoo 360, I don't know anything and I don’t have the right to do any
> comment. Sorry.

Considering that StartCom is hosted by Qihoo 360
https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html
and
that you're the sole director of StartCom, it's hard for me to believe that
you "don't know anything" about Qihoo 360.

>
> Best Regards,
>
> Richard
>
> -----Original Message-----
> From: Peter Bowen [mailto:pzbo...@gmail.com <javascript:;>]
> Sent: Tuesday, September 20, 2016 10:18 AM
> To: Richard Wang <rich...@wosign.com <javascript:;>>
> Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>;
> mozilla-dev-security-pol...@lists.mozilla.org <javascript:;>
> Subject: Re: Incidents involving the CA WoSign
>
> Richard,
>
> As someone pointed out on Twitter this morning, it seems that the PSC
> notification for Startcom UK was filed recently:
> https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/
> UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf
>  Were you unaware of this filing?
>
> Additionally, companies that register to trade on the New York Stock
> Exchange have to file reports with the US Security and Exchange
> Commission.  Qihoo 360 filed a report that included a list of their
> variable interest entities and Qihoo's percent of economic interest in each
> (https://www.sec.gov/Archives/edgar/data/1508913/
> 000114420413022823/v341745_20f.htm
> page F-10).  It also describes all the ways in which Qihoo 360 controls
> these entities, including assuring that Qihoo has decision making authority
> over the entities.
>
> I agree that Mozilla does not require reporting that multiple Root CAs are
> Affiliates.  Perhaps it should.  However, as you know, the CA/Browser Forum
> does require such.  So I don't think it would be a stretch for Mozilla to
> do so.  It is something that should probably be added to the 2.3 policy
> discussion.
>
> Thanks,
> Peter
>
>
> On Mon, Sep 19, 2016 at 6:51 PM, Richard Wang <rich...@wosign.com
> <javascript:;>> wrote:
> > Thanks for your detail info.
> > No worry about this, all companies must be complied with local law.
> >
> > But I really don't care who is my company's shareholder's shareholder's
> shareholder, you need to find out this by yourself if you care.
> >
> > If you think Mozilla must require this, please add to the Mozilla policy
> that require all CA disclose its nine generation including all subordinate
> companies and all parent companies.
> >
> >
> > Best Regards,
> >
> > Richard
> >
> > -----Original Message-----
> > From: dev-security-policy
> > [mailto:dev-security-policy-bounces+richard <javascript:;>
> =wosign.com@lists.mozilla.o
> > rg] On Behalf Of Nick Lamb
> > Sent: Tuesday, September 20, 2016 9:06 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org <javascript:;>
> > Subject: Re: Incidents involving the CA WoSign
> >
> > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang  wrote:
> >> This case is WoSign problem, you found out all related subordinate
> companies and all related parent companies that up to nine generations! I
> think this is NOT the best practice in the modern law-respect society.
> >
> > It seems the governments of the European Union countries (including the
> UK where one of the mentioned companies is located) disagree with you about
> whether this is best practice.
> >
> > Identifying individual human persons behind a company is a key plank of
> their anti-money laundering and anti-tax evasion policies. To identify
> these human persons it is necessary to look through any number (even more
> than nine) of layers of corporate ownership. In the UK the legal term is
> Persons with Significant Control and PSC registration is mandatory since
> this summer, a company registered in the UK is obliged to figure out if
> there are such Persons and if so list them in its routine filings. Failing
> to properly investigate, or concealing the truth about control of the
> company is punishable by forfeiture, ie the state would seize the company's
> assets.
>


--
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to