I suggest Mozilla should - at the very least - strongly urge the actual current owners of these CA roots to use their resources to reach out to subscribers informing them of this decision and of its consequences. If it cannot, it should hand over all available contact details for the subscriber to another CA/B member, for them to do that work on behalf of the whole industry.
We know in the SHA-1 threads that subscribers often seem ignorant of important decisions affecting them, and the CA is best placed to contact the subscriber because they're most likely to have useful email addresses, phone numbers etc. that lead to people with the correct mix of technical ability and decision making authority to act. As it stands currently the plan does not invalidate most (any?) end entity certificates that we believe were legitimately issued and such notification could make that clear, but subscribers deserve some warning even of the risk that invalidation would happen in future, not to mention that they will not be able to receive renewals from these CAs, at least for some time. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy