think what Stephen is referring to is that a lot of these bug reports allege some vague badness that can't be determined from the initial report. Later clarification provides a copy of the key or some evidence that something went wrong. The CA isn't made aware until there is some pointed evidence that the CA can investigate to determine whether something went wrong. Otherwise, I can allege a "CA A is not following the BRs" and then claim they failed to revoke within 24 hours/7 days every time an issue is found. This doesn't make sense since I could just email every CA now and double the number of incident reports required for any future issue.
What should happen though (and didn't happen here) is that the CA should report back that they are unaware of an wrongness with the current supplied information and ask for clarification.
Within 24 hours after receiving a Certificate Problem Report, the CA SHALL investigate the facts and
circumstances related to a Certificate Problem Report and provide a preliminary report on its findings to both
the Subscriber and the entity who filed the Certificate Problem Report.
Note this is not an acknowledgement, it's a report on the findings. Ie - is the certificate incorrectly issued or cannot be determined (in which case, I think the certificate problem report is rejected).
After reviewing the facts and circumstances, the CA SHALL work with the Subscriber and any entity reporting
the Certificate Problem Report or other revocation-related notice to establish whether or not the certificate
will be revoked, and if so, a date which the CA will revoke the certificate. The period from receipt of the
Certificate Problem Report or revocation-related notice to published revocation MUST NOT exceed the time
frame set forth in Section 184.108.40.206.
Agreed that this says that the revocation period must be within the 24 hours/5 days of when the problem report is filed if the CA is made aware of an issue. There is plenty of discussion on this on both the Forum and other bugs. If the CA rejects the certificate problem report as non-actionable (won't revoke based on the cert problem report), then it's hard to argue that the 5 day revocation will start because the CA was not made aware of any problem (220.127.116.11.). However, I think this needs to be clearly spelled out in the response to the certificate problem report (will revoke or wont' revoke). I think this clarity is required under 4.9.5.
Looking at this particular bug and the response from Stephen, I think Stephen agreed that the certificate should be revoked, which means that the five day rule applied effective when John sent the notice. This does indeed mean we need to file a delayed revocation bug for this incident and refine the Quovadis revocation process.