While you are here, I hope you can answer a couple of questions. 1) Are the first three shareholders listed in the attached file the same companies as the "Qihoo 360 Software (Beijing) Co., Ltd.", "Beijing Qifutong Technology Co., Ltd.", and "Beijing Yuan Tu Technology Co., Ltd." entities listed in Qihoo 360 SEC reports as VIEs or subsidiaries of VIEs? [Xiaosheng]: Yes, they are. 2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo 360 VIE subsidiary, or a combination of those own or control a majority of shares in WoSign? [Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign. Thanks, Peter > > Thanks, > Xiaosheng > > Xiaosheng Tan, Chief Security Officer > Qihoo 360 > E-Mail: tanxiaosh...@360.cn > Web: www.360.cn <http://www.360.cn/> > Address: Bldg 2, 6 Haoyuan, Jiuxianqiao Rd, Chaoyang Dist, Beijing, China 100015 > > > 在 16/9/20 下午2:05,“dev-security-policy 代表 Percy”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 percyal...@gmail.com> 写入: > > On Monday, September 19, 2016, Richard Wang <rich...@wosign.com> wrote: > > > Thanks for your pointing out one of the very important evidence for the > > transaction is NOT completed till yesterday that we released the news after > > it is finished at the first phase. We just finished the UK company > > investment. > > > > For Qihoo 360, I don't know anything and I don’t have the right to do any > > comment. Sorry. > > Considering that StartCom is hosted by Qihoo 360 > https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html > and > that you're the sole director of StartCom, it's hard for me to believe that > you "don't know anything" about Qihoo 360. > > > > > Best Regards, > > > > Richard > > > > -----Original Message----- > > From: Peter Bowen [mailto:pzbo...@gmail.com <javascript:;>] > > Sent: Tuesday, September 20, 2016 10:18 AM > > To: Richard Wang <rich...@wosign.com <javascript:;>> > > Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>; > > mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > > Subject: Re: Incidents involving the CA WoSign > > > > Richard, > > > > As someone pointed out on Twitter this morning, it seems that the PSC > > notification for Startcom UK was filed recently: > > https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/ > > UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf > > Were you unaware of this filing? > > > > Additionally, companies that register to trade on the New York Stock > > Exchange have to file reports with the US Security and Exchange > > Commission. Qihoo 360 filed a report that included a list of their > > variable interest entities and Qihoo's percent of economic interest in each > > (https://www.sec.gov/Archives/edgar/data/1508913/ > > 000114420413022823/v341745_20f.htm > > page F-10). It also describes all the ways in which Qihoo 360 controls > > these entities, including assuring that Qihoo has decision making authority > > over the entities. > > > > I agree that Mozilla does not require reporting that multiple Root CAs are > > Affiliates. Perhaps it should. However, as you know, the CA/Browser Forum > > does require such. So I don't think it would be a stretch for Mozilla to > > do so. It is something that should probably be added to the 2.3 policy > > discussion. > > > > Thanks, > > Peter > > > > > > On Mon, Sep 19, 2016 at 6:51 PM, Richard Wang <rich...@wosign.com > > <javascript:;>> wrote: > > > Thanks for your detail info. > > > No worry about this, all companies must be complied with local law. > > > > > > But I really don't care who is my company's shareholder's shareholder's > > shareholder, you need to find out this by yourself if you care. > > > > > > If you think Mozilla must require this, please add to the Mozilla policy > > that require all CA disclose its nine generation including all subordinate > > companies and all parent companies. > > > > > > > > > Best Regards, > > > > > > Richard > > > > > > -----Original Message----- > > > From: dev-security-policy > > > [mailto:dev-security-policy-bounces+richard <javascript:;> > > =wosign.com@lists.mozilla.o > > > rg] On Behalf Of Nick Lamb > > > Sent: Tuesday, September 20, 2016 9:06 AM > > > To: mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > > > Subject: Re: Incidents involving the CA WoSign > > > > > > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > > >> This case is WoSign problem, you found out all related subordinate > > companies and all related parent companies that up to nine generations! I > > think this is NOT the best practice in the modern law-respect society. > > > > > > It seems the governments of the European Union countries (including the > > UK where one of the mentioned companies is located) disagree with you about > > whether this is best practice. > > > > > > Identifying individual human persons behind a company is a key plank of > > their anti-money laundering and anti-tax evasion policies. To identify > > these human persons it is necessary to look through any number (even more > > than nine) of layers of corporate ownership. In the UK the legal term is > > Persons with Significant Control and PSC registration is mandatory since > > this summer, a company registered in the UK is obliged to figure out if > > there are such Persons and if so list them in its routine filings. Failing > > to properly investigate, or concealing the truth about control of the > > company is punishable by forfeiture, ie the state would seize the company's > > assets. > > > > > -- > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > >
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy