alt Hacker NewsYou don't get kicked out of trusted roots for non-compliance, you get kicked out for continuing to knowingly issue non-compliant certs, failing to revoke non-compliant certs in a timely fashion once discovered, etc.
Pausing issuance immediately upon discovery of a compliance issue is the absolute correct response so as long as they do their followup appropriately there is absolutely zero risk of being distrusted.
> You don't get kicked out of trusted roots for non-compliance
Of course you do, it's the main reason CAs fix compliance issues so fast.
Symantec, WoSign, Entrust, etc repeatedly had non-compliance issues and that led to them being removed (even if fixed)
Here was not a big issue: they forgot a flag to narrow the delegation of trust (but nobody knew that a few hours ago)
Still it can be very problematic, there is a quite similar situation here https://bugzilla.mozilla.org/show_bug.cgi?id=1883843
A basic non-compliance issue, just a web link missing, but huge consequences if they don’t fix it.
Repeated non-compliance (like the Symantec) will eventually get you removed even if fixed.
The core definition of losing “trust” in someone.
Keep in mind that few hours ago, nobody knew what the violation was. Turns out it was an easy fix.