[Crosseye_Jack]

WoSign brought StartCom but didn't tell anyone (against Mozilla's root cert policy) and insisted they were separate businesses when called out on it. Mozilla looked into it, found evidence that StartCom was now owned by WoSign and WoSign finally came clean they owned StartCom.

The reasons StartCom is being distrusted too is because the WoSign code base (that a couple of parts are shared with StartCom including the issuance tech) has been found to be buggy so until qihoo 360 (WoSigns parent company) can prove that WoSign and StartCom are now 2 complete separate businesses as part of qihoo 360's plan to remove WoSigns CEO and separate the companies the loss of trust has to be applied to both.

Oh and that loss of trust... WoSign's CEO (someone who has been in on CA/B forum meetings discussing the sun setting of SHA1 certs) authorised a backdated SHA1 cert to be issued for an AU payment processor and bypassing the legit method of applying for one (which he was also at the meetings that set up the SHA1 exception process) using StartCom's root while insisting the two were CA's were not linked.

So Mozilla have said if qihoo 360 break up WoSign and StartCom (as qihoo 360 proposed), StartCom doesn't share WoSign's infrastructure after the break up and can prove this to the Mozilla community that StartCom and regain the trust of the Mozilla community they won't have to wait the min year to reapply.

Apple were quick to kick WoSign but qihoo 360/StartCom had requested a meeting with Mozilla to discuss a mitigation plan (Relieve WoSign's CEO oh his duties, separate the two CA's, put in respected security people as CEO's in the two broken up CA's) to get back on the road to solving this fucking mess.

Guess that looking at the evidence Mozilla released Apple's root team decided that WoSign had already lost their trust but wanted to hear out qihoo 360/StartCom before making a decision on StartCom too.