Hi Aaron,
This seems reasonable to me. It might also be worth adding a similar timeline
to 6.1.1.5.(1) so that, under a circumstance in which the Debian-weak-keys repo
is updated, there is some amount of time for CAs to ensure their own systems
are also updated. Since that repo is under the
Section 6.1.1.3 (4) of the Baseline Requirements (as of Ballot SC-073) says
"The CA SHALL reject a certificate request if... the CA has previously been
notified that the Applicant's Private Key has suffered a Key Compromise
using the CA's procedure for revocation request".
Section 4.9.1.1 (3) of