WoSign is included as a root certificate. When they first started, they weren't in all browser stores, so StartCom cross-signed their root certificate.

That way, WoSign could create certificates while they waited for browsers to update with their root certificate. It also helps for legacy/embedded systems that don't get updates, since StartCom has existed far longer. Due to the cross-sign, all WoSign certificates are still compatible.

OK thanks. Doesn't StartCom bear responsibility for the behavior of the entity they cross-signed for?

Supposedly they were bought by WoSign

http://letsphish.clonezone.link/part1

I say supposedly because this is an archive of the original domain

https://www.letsphish.org/

which now says

  > September 1, 2016:
  > I'm currently going under legal review of the site.
  > Content will not be available during this period.

IIRC not in this case because WoSign had been accepted as a root, it just wasn't in all browsers yet. LetsEncrypt went through the same process -- it was accepted, but it takes time for root store updates to reach all consumers so in the meantime it was cross signed by some other ca. That ca has no responsibility here, since letsencrypt was itself accepted as a CA and was a peer (and is thus fully responsible for its own actions)

Yeah, I still think it shouldn't be considered a duplicate. Especially since going directly to WoSign didn't end up solving the overall problem, which is what the linked duplicate question says to do.

Just FYI, since you only quoted one certificate. Both GitHub certificates were mine, not just the one. I created a second account for the second certificate.