This came up on the Mozilla mailing list and the most likely explanation is that they're sharing some infrastructure, i.e. one CA is hosting the other[1]. This is apparently quite common in the industry.
I don't think the Baseline Requirements (or any of the root program policies) currently require that CAs disclose these arrangements. I don't think CA hosting is inherently bad (in many cases I'd actually be happy to know that a CA is not running their own infrastructure), but it would probably be a good idea to force CAs to be transparent about it. If it's publicly known that WoSign and StartCom use the same domain validation infrastructure (just as an example, this might not be the case), that fact would be highly relevant for this discussion.
I don't think the Baseline Requirements (or any of the root program policies) currently require that CAs disclose these arrangements. I don't think CA hosting is inherently bad (in many cases I'd actually be happy to know that a CA is not running their own infrastructure), but it would probably be a good idea to force CAs to be transparent about it. If it's publicly known that WoSign and StartCom use the same domain validation infrastructure (just as an example, this might not be the case), that fact would be highly relevant for this discussion.
[1]: https://groups.google.com/d/msg/mozilla.dev.security.policy/...