I'd say this implies two things. First CAs should be wary of the possibility loosing trust. For reacting/responding timely and adequately to any concerns being raised, instead of ignoring them or waiting to "see how they develop", is a lot easier than any alternative, I'd say.
The other thing is that it is makes sense that CAs (or people) who have lost trust will have to figure out themselves how to get back to trust. Like I said, it depends a lot on how exactly trust was lost in te first place. And bottom line it is their problem, not Mozilla's. They created it, it is not reasonable to expect/ask a root program to prescribe how to do that. CU Hans _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy