On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote:
> Your behavior let me think of a Chinese word "株连九族", means "to implicate the 
> nine generations of a family", this is an extreme penalty in feudal times in 
> China that if a man committed a crime, the whole clan that up to nine 
> generation was implicated, all must be killed together.  


As it has been pointed out, StartCom has an obligation to disclose if ownership 
was changed, at least with respect to root program agreements.

I would like to request that you answer the questions Peter poses, by pointing 
to any public documentation beyond statements by yourself, WoSign, or StartCom, 
that can provide a different picture than what Peter has reported.

Without having clear, factual, and accurate documentation that StartCom is not 
wholly owned and operated by WoSign - which all evidence presented points 
clearly to that fact - then it's clear that any action taken, if any, must also 
apply to StartCom, as it represents the same set of organizational CAs and the 
same fundamental issues regarding trust.

Unfortunately, it's unclear if you're intentionally misleading the community, 
or if you're tragically uninformed, but the documents in 
 fully support the conclusion that StartCom is wholly owned by WoSign, which 
itself is majority owned by Qihoo 360. While the latter is, perhaps, not 
relevant to the general topic of root program agreements, it is relevant in two 
important matters:

1) It supports the claim that Qihoo 360, WoSign, and StartCom may have acted 
improperly with respect to their membership in the CA/Browser Forum. This is a 
matter for the CA/Browser Forum to sort out.

2) It supports the claim that, by listing Qihoo 360 officers as Persons with 
Significant Control, that StartCom (UK), which wholly owns StartCom (IL), is 
itself wholly owned by StartCom (HK), which itself is wholly owned by WoSign 
(CN), which itself is majority owned by direct and indirect parties of Qihoo 
360. That is, there's no evidence to suggest that these offers independently 
invested in any portion of StartCom or WoSign, and that their only legal 
reasoning for being noted as PSCs is due to their relationship to the 'parent' 
organization of Qihoo 360.

Further relevant to this discussion is the date upon which these parties are 
listed as PSCs. The filing date - 14/9/2016 - does not itself have bearing on 
your claim that it was recently completed.

1) We can note that the date of confirmation was 24/8/2016 - which supports the 
claim that this was preexisting at the point this discussion began. Further, 
this is already part of the legally required annual confirmation statement. 
https://beta.companieshouse.gov.uk/company/09744347 shows this very clearly - 
that such reports happen on an annual basis and when they're due by, and when 
they're processed by.
2) The Persons with Significant Control are noted as becoming registerable on 
06/04/2016. While one might naively believe this to have been in April (which 
would have obligated a StartCom disclosure at least that far back), if you 
examine the guidance in 
 - in particular, the summary guidance - page 4 makes it unambiguously clear 
that for existing companies, the PSCs' shall be noted as becoming registerable 
on 06/04/2016.

To make it abundantly clear: All evidence points uncategorically and 
unquestionably to StartCom having been acquired by WoSign, and both parties 
failing to disclose this transition for over a year, despite repeated private 
and public requests for clarification and disclosure. Further, the statements 
by WoSign as characterizing this as an equity investment seem to be 
intentionally phrased in such a way to mislead the public and this community, 
which significantly undermines trust.

I'm sure you're quite exhausted from this discussion, but it must be stated yet 
again: The goal is to ensure that any conclusions drawn have the full facts and 
evidence to support them. There is a preponderance of evidence suggesting that 
you have actively mislead this community, and this is the last opportunity to 
provide any form of evidence - not just statements - that support your claim.

As this discussion has been ongoing - and you've been aware of it since 
February - it seems entirely reasonable to request that you reply within the 
next 48 hours. Barring that, at least some of us must conclude that you're 
actively attempting to evade root program requirements, actively misleading the 
community, and acting in a way counter to the public trust, and with all of the 
consequences that entails.
dev-security-policy mailing list

Reply via email to