Richard, As someone pointed out on Twitter this morning, it seems that the PSC notification for Startcom UK was filed recently: https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf Were you unaware of this filing?
Additionally, companies that register to trade on the New York Stock Exchange have to file reports with the US Security and Exchange Commission. Qihoo 360 filed a report that included a list of their variable interest entities and Qihoo's percent of economic interest in each (https://www.sec.gov/Archives/edgar/data/1508913/000114420413022823/v341745_20f.htm page F-10). It also describes all the ways in which Qihoo 360 controls these entities, including assuring that Qihoo has decision making authority over the entities. I agree that Mozilla does not require reporting that multiple Root CAs are Affiliates. Perhaps it should. However, as you know, the CA/Browser Forum does require such. So I don't think it would be a stretch for Mozilla to do so. It is something that should probably be added to the 2.3 policy discussion. Thanks, Peter On Mon, Sep 19, 2016 at 6:51 PM, Richard Wang <rich...@wosign.com> wrote: > Thanks for your detail info. > No worry about this, all companies must be complied with local law. > > But I really don't care who is my company's shareholder's shareholder's > shareholder, you need to find out this by yourself if you care. > > If you think Mozilla must require this, please add to the Mozilla policy that > require all CA disclose its nine generation including all subordinate > companies and all parent companies. > > > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On > Behalf Of Nick Lamb > Sent: Tuesday, September 20, 2016 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: >> This case is WoSign problem, you found out all related subordinate companies >> and all related parent companies that up to nine generations! I think this >> is NOT the best practice in the modern law-respect society. > > It seems the governments of the European Union countries (including the UK > where one of the mentioned companies is located) disagree with you about > whether this is best practice. > > Identifying individual human persons behind a company is a key plank of their > anti-money laundering and anti-tax evasion policies. To identify these human > persons it is necessary to look through any number (even more than nine) of > layers of corporate ownership. In the UK the legal term is Persons with > Significant Control and PSC registration is mandatory since this summer, a > company registered in the UK is obliged to figure out if there are such > Persons and if so list them in its routine filings. Failing to properly > investigate, or concealing the truth about control of the company is > punishable by forfeiture, ie the state would seize the company's assets. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
