[codyro]

I believe so - they're owned by the same company and it wasn't disclosed properly leading to some trust issues.

Additionally there seems to be a lot of co-mingling between the companies in regards to code bases and signing practices.

I'd check out https://wiki.mozilla.org/CA:WoSign_Issues and look for "StartCom" for examples.

[0x0]

I remember the secret StartCom change of ownership came up very early in these discussions (I even saw random forum posts, on HN and elsewhere, almost a year earlier, when people noticed the StartCom servers mysteriously switched to Chinese IP addresses, and switched all my certs away as a precaution before there was any talk about CA mismanagement). But until now I've only seen talk of actually kicking out WoSign. Good riddance either way. Wonder what happened to the StartCom people, they seemed to be clued in back in the days. Shame.

[pfg]

The original plan[1] was to distrust both WoSign and StartCom after a certain date. Shortly after that, Mozilla met with representatives from Qihoo, WoSign and StartCom, and considered the possibility of treating StartCom separately under certain conditions[2]. The latest remediation plan seems to discard that notion (except that only WoSign will have to wait a year to re-apply).

[1]: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBG...

[2]: https://groups.google.com/forum/#!topic/mozilla.dev.security...