Hi Ben. I would interpret that sentence to mean that if a CA operator misses the "at least 2 years" deadline then they are
forever forbidden from submitting a next generation root certificate for inclusion in Mozilla's root store. Is that the intent?
I think CAs should certainly be encouraged to submit next gen roots in a timely fashion, and I think Mozilla shouldn't feel obliged to grant extensions on to-be-replaced root removals in order to support CAs that fail to do this "at least 2 years" in advance.
However, I think "forever forbidden" is unnecessarily harsh!
So I suggest changing "MUST" to "SHOULD".
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.