Comment 137 for bug 232340

> And as I remember, the root that signed that cert (it was an IE code
> signing cert so it didn't affect NS) got replaced in the next IE update ....
> Is Cacert ready to do that if it finds that it issued a bogus cert?

Surely that is not our standard for dealing with a bogus cert.

I don't remember the "root CA replacement" component - I remember a lot
of arguing about process and CRL management - but it's been quite a while.

It seems like people are searching for infallibility ("assumes liability"
sounds like, in practice, another requirement for infallibility). But maybe
it would be more useful to look at how issuers deal with certificate
validation, challenges, and other matters related to revocations.