Hello,
I have been re-reading the Mozilla root policy, which necessarily leaves substantial discretion to Mozilla as to when revocation of a root (or otherwise constraining it, if such capabilities existed) is appropriate.
From also reviewing a number of historical incidents in Bugzilla, it seems that currently the decision as to whether to sanction a CA is largely evaluated on a per-incident basis: is this specific incident sufficient grounds to disrupt subscribers and relying parties by forcibly revoking some or all of the CA's issued certificates?
Unfortunately, this in my opinion undermines the integrity of the root programs, because it means that the pattern of behaviour of a CA over time doesn't really have a place in the conversations. There is no summary discussion of a CA, even given a pattern of similar incidents, which might lead Mozilla and the WebPKI community to decide that said CA was a liability to the integrity—both technical and political—of the root program.
I'm posting here not to conduct such a summary discussion of any specific CA (yet), but to start a conversation about what the WebPKI community represented here might think appropriate as a structure for such historical evaluations, and also what tests we might apply to determine if a CA should have its inclusion formally reconsidered in some way.
I have my own thoughts on the topic, perhaps obviously, but I would like to first leave some space for others to present their opinions.
Mike