(In reply to Vitaly from comment #17)
DigiCert and Sectigo have also stopped issuing certificates for .ru, .su and .rf domains. I think such CAs can no longer be trusted and should be removed from the Firefox Trusted CAs package.
The revocation of certificates of a certain class of subscribers is possible through the requirements stated in the CA/B Forum Baseline Requirements  section 18.104.22.168 (2)(10) in combination with the provisions that a CA lists in the sections 9.14 (Governing law), 9.15 (Compliance with applicable law) and/or 9.16 (Miscellaneous provisions) of their CP/CPS.
Additionally; the CA/B Forum Baseline Requirements  do not put requirements on the subjects that a CA must sign; indeed they only put requirements on what the subject must conform to when it is included in a certificate. These are two different things, and I do not think that compliance to local law (that does not limit compliance to requirements in the BR) is a reason to untrust a CA.
They divided the entire Web-of-Trust goal by zero by blocking all Russians.
I think you misunderstand the term "Web-of-Trust". Web-of-Trust is generally used with GPG, and is an interconnected graph of trusted and indirectly trusted keys; whereas WebPKI is more a hub-and-spoke model; a delegated trust model where you delegate the creation of the trust root to the browser; and few interconnected trust relationships between the CAs. To the best of my knowledge, the Mozilla Root Store was never intended as a Web-of-Trust, because it operates on different principles.