On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote:
> Your behavior let me think of a Chinese word "株连九族", means "to implicate the
> nine generations of a family", this is an extreme penalty in feudal times in
> China that if a man committed a crime, the whole clan that up to nine
> generation was implicated, all must be killed together.
As it has been pointed out, StartCom has an obligation to disclose if ownership
was changed, at least with respect to root program agreements.
I would like to request that you answer the questions Peter poses, by pointing
to any public documentation beyond statements by yourself, WoSign, or StartCom,
that can provide a different picture than what Peter has reported.
Without having clear, factual, and accurate documentation that StartCom is not
wholly owned and operated by WoSign - which all evidence presented points
clearly to that fact - then it's clear that any action taken, if any, must also
apply to StartCom, as it represents the same set of organizational CAs and the
same fundamental issues regarding trust.
Unfortunately, it's unclear if you're intentionally misleading the community,
or if you're tragically uninformed, but the documents in
fully support the conclusion that StartCom is wholly owned by WoSign, which
itself is majority owned by Qihoo 360. While the latter is, perhaps, not
relevant to the general topic of root program agreements, it is relevant in two
1) It supports the claim that Qihoo 360, WoSign, and StartCom may have acted
improperly with respect to their membership in the CA/Browser Forum. This is a
matter for the CA/Browser Forum to sort out.
2) It supports the claim that, by listing Qihoo 360 officers as Persons with
Significant Control, that StartCom (UK), which wholly owns StartCom (IL), is
itself wholly owned by StartCom (HK), which itself is wholly owned by WoSign
(CN), which itself is majority owned by direct and indirect parties of Qihoo
360. That is, there's no evidence to suggest that these offers independently
invested in any portion of StartCom or WoSign, and that their only legal
reasoning for being noted as PSCs is due to their relationship to the 'parent'
organization of Qihoo 360.
Further relevant to this discussion is the date upon which these parties are
listed as PSCs. The filing date - 14/9/2016 - does not itself have bearing on
your claim that it was recently completed.
1) We can note that the date of confirmation was 24/8/2016 - which supports the
claim that this was preexisting at the point this discussion began. Further,
this is already part of the legally required annual confirmation statement.
https://beta.companieshouse.gov.uk/company/09744347 shows this very clearly -
that such reports happen on an annual basis and when they're due by, and when
they're processed by.
2) The Persons with Significant Control are noted as becoming registerable on
06/04/2016. While one might naively believe this to have been in April (which
would have obligated a StartCom disclosure at least that far back), if you
examine the guidance in
- in particular, the summary guidance - page 4 makes it unambiguously clear
that for existing companies, the PSCs' shall be noted as becoming registerable
To make it abundantly clear: All evidence points uncategorically and
unquestionably to StartCom having been acquired by WoSign, and both parties
failing to disclose this transition for over a year, despite repeated private
and public requests for clarification and disclosure. Further, the statements
by WoSign as characterizing this as an equity investment seem to be
intentionally phrased in such a way to mislead the public and this community,
which significantly undermines trust.
I'm sure you're quite exhausted from this discussion, but it must be stated yet
again: The goal is to ensure that any conclusions drawn have the full facts and
evidence to support them. There is a preponderance of evidence suggesting that
you have actively mislead this community, and this is the last opportunity to
provide any form of evidence - not just statements - that support your claim.
As this discussion has been ongoing - and you've been aware of it since
February - it seems entirely reasonable to request that you reply within the
next 48 hours. Barring that, at least some of us must conclude that you're
actively attempting to evade root program requirements, actively misleading the
community, and acting in a way counter to the public trust, and with all of the
consequences that entails.
dev-security-policy mailing list