I remember the secret StartCom change of ownership came up very early in these discussions (I even saw random forum posts, on HN and elsewhere, almost a year earlier, when people noticed the StartCom servers mysteriously switched to Chinese IP addresses, and switched all my certs away as a precaution before there was any talk about CA mismanagement). But until now I've only seen talk of actually kicking out WoSign. Good riddance either way. Wonder what happened to the StartCom people, they seemed to be clued in back in the days. Shame.
The original plan[1] was to distrust both WoSign and StartCom after a certain date. Shortly after that, Mozilla met with representatives from Qihoo, WoSign and StartCom, and considered the possibility of treating StartCom separately under certain conditions[2]. The latest remediation plan seems to discard that notion (except that only WoSign will have to wait a year to re-apply).
Yes, the Startcom roots are included in the set to be distrusted. Mozilla is allowing Startcom to re-apply sooner than Wosign, but both will have to go through the entire CA vetting process again, and Startcom will also have to prove it's no longer controlled by Wosign.
WoSign brought StartCom but didn't tell anyone (against Mozilla's root cert policy) and insisted they were separate businesses when called out on it. Mozilla looked into it, found evidence that StartCom was now owned by WoSign and WoSign finally came clean they owned StartCom.
The reasons StartCom is being distrusted too is because the WoSign code base (that a couple of parts are shared with StartCom including the issuance tech) has been found to be buggy so until qihoo 360 (WoSigns parent company) can prove that WoSign and StartCom are now 2 complete separate businesses as part of qihoo 360's plan to remove WoSigns CEO and separate the companies the loss of trust has to be applied to both.
Oh and that loss of trust... WoSign's CEO (someone who has been in on CA/B forum meetings discussing the sun setting of SHA1 certs) authorised a backdated SHA1 cert to be issued for an AU payment processor and bypassing the legit method of applying for one (which he was also at the meetings that set up the SHA1 exception process) using StartCom's root while insisting the two were CA's were not linked.
So Mozilla have said if qihoo 360 break up WoSign and StartCom (as qihoo 360 proposed), StartCom doesn't share WoSign's infrastructure after the break up and can prove this to the Mozilla community that StartCom and regain the trust of the Mozilla community they won't have to wait the min year to reapply.
Apple were quick to kick WoSign but qihoo 360/StartCom had requested a meeting with Mozilla to discuss a mitigation plan (Relieve WoSign's CEO oh his duties, separate the two CA's, put in respected security people as CEO's in the two broken up CA's) to get back on the road to solving this fucking mess.
Guess that looking at the evidence Mozilla released Apple's root team decided that WoSign had already lost their trust but wanted to hear out qihoo 360/StartCom before making a decision on StartCom too.
Additionally there seems to be a lot of co-mingling between the companies in regards to code bases and signing practices.
I'd check out https://wiki.mozilla.org/CA:WoSign_Issues and look for "StartCom" for examples.