Wayne, I think this goes to you.
The new Terms & Conditions include:
The Customer acknowledges and accepts that Actalis may:
b) revoke the Certificate within the maximum timescale indicated in the CPS
in the event that the Certificate demonstrates any non-compliance with CABF
Standards, regardless of the impact of such non-compliance on the security
or correct functioning of the Certificate; in such cases, Actalis shall notify the
Customer where possible, within the limits permitted by the maximum
timescales for revocation indicated in the CPS according to the circumstances.
In the event of revocation of certificates by Actalis, for any of the reasons
stated herein, Actalis accepts no liability for any inconvenience, disruption or
malfunctions suffered by the Customer as a result of the revocation.
The CP/CPS includes, in 184.108.40.206
Before revoking a certificate, the CA will make a reasonable effort to warn to the affected Subscriber of the
imminent revocation, compatibly with the maximum revocation times indicated above.
Comment #1 is a good example of a systemic and structured approach, in part related to Bug 1534295. We'll have to see how well it works in practice, although, ideally, we won't :)
There's other stuff that raises an eyebrow, but not to the level of this issue, and might be more relevant for future policy updates.
- Providing versioned history for the CP/CPS (took me a bit to compare the diffs of the related documents)
- Expectations, if any, around CP/CPS publication (e.g. the AGID process invokes possible challenges for future updates, such as was required for CA problem reporting)
But I think those are not specific to Actalis here and don't need to be dealt with on this issue.