shaver
commented
4 months ago In case it's helpful, here are some related passages from other root program policies:
Microsoft: https://learn.microsoft.com/en-us/security/trusted-root/program-requirements
If Microsoft, in its sole discretion, identifies a certificate whose usage or attributes are determined to be contrary to the objectives of the Trusted Root Program, Microsoft will notify the responsible CA and request that it revokes the certificate. The CA must either revoke the certificate or request an exception from Microsoft within 24 hours of receiving Microsoft's notice. Microsoft will review submitted material and inform the CA of its final decision to grant or deny the exception at its sole discretion. In the event that Microsoft doesn't grant the exception, the CA must revoke the certificate within 24 hours of the exception being denied.
Chrome: https://www.chromium.org/Home/chromium-security/root-ca-policy/
Due to the incorporation of the Baseline Requirements into CA policy documents, incidents may include a prescribed follow-up action, such as revoking impacted certificates within a certain timeframe. If the Chrome Root Program Participant does not perform the required follow-up actions, or does not perform them in the expected timeframe, the Chrome Root Program Participant SHOULD file a secondary incident report describing any certificates involved, the expected timeline to complete any follow-up actions, and what changes they are making to ensure they can meet these requirements consistently in the future.
(Apple: https://www.apple.com/certificateauthority/ca_program.html has nothing explicit, just a general reference to compliance with CA/Browser Forum Baseline Requirements Certificate Policy)
BenWilson-Mozilla
This section of the wiki needs to be updated https://wiki.mozilla.org/CA/Responding_To_An_Incident#Revocation. Also, the MRSP should also address delayed revocation.