I have to share, I'm quite concerned with understanding how we can independently verify and assess these claims. That's part of the importance for addressing in the thumbprints. The current proposal would not have us have any independent attestation for another year, and it would only cover that year - not this year. So we have no insight into what sort of activities are in-scope or out-of-scope, and from understanding how the audits are to be used, it's not the auditor who misrepresented things if things are totally non-compliant.
This is why other CAs have been requested to revoke such certificates by other root programs, and why Mozilla has moved to OneCRL a number of them. This case is interesting, because unlike those other cases, it does appear Identrust appears to intend to use these for web server authentication, and so the OneCRL/Revocation mechanism has greater impact and side-effects. However, it's important to emphasize: the relying parties/public have no way to be sure of the information presented here, and waiting until the next audit cycle won't address that.
As it relates to https://crt.sh/?q=DCCA716167F029AA9A309EE8CA3FF1F4017D1A1F3D1981BDFF9E5AF3F503682A , I'm especially concerned about the statement "Not capable to issue TLS certificates" - unless I'm missing something, which I totally could be, this certificate is quite capable of issuance. I'm hoping you can expand more here?
For the first two, regarding the AUP, note that WebTrust guidance was updated in 2017 to provide illustrative guidance on how to report to that effect. Your WebTrust auditor should be able to use that form to provide the reporting in a consistent manner.
I think, if I'm reading correctly, that the following certificates remain unresolved:
The lack of disclosure in the BR report is a significant oversight, and it means we cannot have assurance that they've been evaluated and are operating consistent with policy. The standard response has been to insist on revocation, whether OneCRL (which has been Mozilla's standard repsonse) and/or by direct revocation (what other root programs have required). I encourage you to notify other browsers/root programs for their input, and I encourage you to re-evaluate how the necessary assurance can be provided, both for this year and prior years.