[vtlynch]

Certificate resellers are only taking money in exchange for the cert. They are not doing any validation.

This is true even in cases like Gandi.net where some of the certs they sell come from a custom-branded intermediate certificate. The root CA is Comodo and they are doing the validation, controlling the private key's of the certs that handle issuance, etc. Its just a branding thing.

There are a few cases with Sub-CAs/Registration Authorities where a third-party company is handling some/all of the certificate validation. Symantec is currently in trouble for the bad actions of CrossCert, a Korean company that was licensed to be a Sub-CA. But WoSign/StartCom would not be able to participate in any sort of arrangement like this without being immediately banned again.

So there is no inherent problem with a banned CA continuing to sell certificates that another CA is validating. However, in the investigation of WoSign it was found that the company is deeply dishonest, incompetent, and even a little bit malicious. So anything that puts money in their pocket should be avoided.