I read the full thread (except for paragraphs where she pasted from previous responses).
She failed to reasonably and convincingly refute some allegations. There were repeated requests to provide information, some of which would be trivial to produce if acting in good faith.
After reading the exchange, I (as a reasonable bystander with no material interest in either side):
* Don't understand the relationship between TrustCor and the malware distributor in a clear way that company ownership records would provide
* Take it as a false statement that the mail service doesn't have apps, as its website advertises them
* Don't understand how their auditor audited them when they don't appear to have a presence in Canada that would be factual based on the extracts from the auditor findings
Unrelated to her responses, I could take in on faith that a rogue developer added spyware from a company with the same owners, but the finding that the payloads were send to TrustCor servers diminish the acceptance that sufficient controls exist in the company to not question the security of them as a CA.
Re: your last point: I find it especially concerning that all the questions about TrustCor's apparently compromised server were answered with, "MsgSafe's and TrustCor CA's infrastructure is separate". The concern was that TrustCor's practices led to their servers being compromised, which isn't a great sign for a company which operates a CA, even though it wasn't the CA servers themselves which were compromised. Nothing Rachel wrote indicated that the CA servers are operated in a more secure way than the MsgSafe servers, nor that they have changed any practices in response to the compromise.
She failed to reasonably and convincingly refute some allegations. There were repeated requests to provide information, some of which would be trivial to produce if acting in good faith.
After reading the exchange, I (as a reasonable bystander with no material interest in either side):
* Don't understand the relationship between TrustCor and the malware distributor in a clear way that company ownership records would provide
* Take it as a false statement that the mail service doesn't have apps, as its website advertises them
* Don't understand how their auditor audited them when they don't appear to have a presence in Canada that would be factual based on the extracts from the auditor findings
Unrelated to her responses, I could take in on faith that a rogue developer added spyware from a company with the same owners, but the finding that the payloads were send to TrustCor servers diminish the acceptance that sufficient controls exist in the company to not question the security of them as a CA.