So what's the relation to StartCom/StartSSL? I remember reading some comments about half a year ago mentioning that the startssl website suddenly was hosted on Chinese IP addresses, just around the time they redesigned the web page. This seemed fishy enough back then that I finally switched from startssl to letsencrypt for non-wildcard certs and actually started paying a different CA for wildcart certs...
Did the StartSSL root CA change hands / was it sold to a Chinese company (Wosign?)
I seem to remember the CEO used to be vocal in various ssl and ca forums and on bugzilla earlier.... But no comments lately?
From what I've seen earlier, he's appeared to have a clue or two about SSL. I wonder what's going on with wosign+startssl despite that? Isn't it all very related?
This came up on the Mozilla mailing list and the most likely explanation is that they're sharing some infrastructure, i.e. one CA is hosting the other[1]. This is apparently quite common in the industry.
I don't think the Baseline Requirements (or any of the root program policies) currently require that CAs disclose these arrangements. I don't think CA hosting is inherently bad (in many cases I'd actually be happy to know that a CA is not running their own infrastructure), but it would probably be a good idea to force CAs to be transparent about it. If it's publicly known that WoSign and StartCom use the same domain validation infrastructure (just as an example, this might not be the case), that fact would be highly relevant for this discussion.
Did the StartSSL root CA change hands / was it sold to a Chinese company (Wosign?)
I seem to remember the CEO used to be vocal in various ssl and ca forums and on bugzilla earlier.... But no comments lately?