Revocation in this one is interesting. We are revoking, of course, but the debate is the required timeline. Technically, these are compliant with the CAB Forum requirements, just not the Mozilla policy. This means the revocation timeline from 4.9.1 of the BRs doesn't apply as the policy states "CAs MUST revoke Certificates that they have issued upon the occurrence of any event listed in the appropriate subsection of section 4.9.1 of the Baseline Requirements, according to the timeline defined therein." Is the expectation from Mozilla that Mozilla CA policy violations will be treated as BR violations?
As far as controls, we changed a lot of process to ensure strict governance with the policies. However, the current processes only ensure that future changes are captured and made. We're still working on ensuring that any past changes to the guidelines were covered.
For future changes, we have Tim and Dean who are collecting the changes, timelines, and expectations related to browser and CAB Forum policies. The product and compliance teams meet with them weekly to ensure we know the coming changes and impact. When a new ballot is finally proposed, the compliance team breaks the requirements down to steps required for implementation which are compared to the product team's interpretation of how the systems actually work. From there we build out the plan to implement the change in the next sprint. We dedicate a portion of each sprint to compliance work (whether changes in the BRs, better reporting, or increased controls) to ensure compliance remains an ongoing concern.
Once the product team implements the change, the compliance team reviews for compliance and signs off. This way, we have three different teams of people watching the guidelines from three different perspectives, which means changes are captured (hopefully) before they impact the CA.
For past changes, we're working on a complete internal review of all current requirements that we can audit on. We regularly audit ourselves for compliance, but generally only against the BRs. Given that Mozilla, Microsoft, Adobe, and Apple all have slightly different root policies and requirements, we are building a master checklist to ensure all policies are met, root or otherwise.
From the technical perspective, we implemented zlint on our backend a while ago. We have (or will shortly) be contributing to that project to help remove some of the false positives. Going forward, I'd like us to contribute to the code changes to capture new changes in requirements, including changes in Mozilla policy.