e-commerce monitoring GmbH and at what point does a CA get distrusted

[Amir Omidi (aaomidi)]

Hi all,

I am hoping to get some root program perspectives on this incident: https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 and the follow up incident for delayed revocation: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004.

This CA has clearly ignored Bugzilla until this incident was filed against them. From a quick search on Bugzilla, I did not see them any incidents for them, which is an unrealistically low number of incidents for a publicly trusted CA. 

I am curious, where do the root programs draw the line of "This CA is a net negative for public security & trust?"

Do we have these defined anywhere? If not, maybe we should use this as an opportunity to defining at what point do root programs need to considering distrusting a CA?