Hi all,
This CA has clearly ignored Bugzilla until this incident was filed against them. From a quick search on Bugzilla, I did not see them any incidents for them, which is an unrealistically low number of incidents for a publicly trusted CA.
I am curious, where do the root programs draw the line of "This CA is a net negative for public security & trust?"
Do we have these defined anywhere? If not, maybe we should use this as an opportunity to defining at what point do root programs need to considering distrusting a CA?