1) To DigiCert's point: If certs need an emergency revocation but it will impact a service which say: provides life saving services, or keeps the electricity on for the majority of a country, would it not be wise to file them as a one-off "exceptional circumstance". I think that common sense should prevail and everyone can agree that, "Yes, computer security is absolutely essential. Essential services are also essential." I wish that that was the direction the debate had gone in.

For instance, What is considered an 'exceptional circumstance'? What kind of services are covered, and what are not?

Personally, I would think that things like: health, heat, water, electricity, and physical security (prison and law enforcement) are all potentially essential areas. They are industries that ought be able to request an emergency, 48-hour exception if they know they can't meet it within 24 hours and their services will go down as a result. I feel like two days should be enough time for just about any organization to work through a certificate issue, unless it's a long holiday, or something very, very niche.

I think that, to a degree, Tim Callan (Setigo CEO) was being unreasonable in expecting DigiCert to not offer any kind of possibility for exceptions. Some services should not go down, just because it goes against the principals of computer security. It hate saying that, but it's true. Keeping the ICU running matters more than whether the hospital is following best security practices during an emergency.

Could it cause more problems by ignoring best practices? Possibly! Will enforcing best practices possibly kill someone? If the answer is anything other than a firm "No", then it is secondary to protecting that service.

2) To Sectigo's point: We should not allow any CA to hide behind Policies or poorly written MSAs. If things went the way they did because they were allowed to go that way, then that means you should learn from those things in the post mortem! Take steps to shore it up! Try and prevent other companies from following suit, otherwise more will take action whenever it meets their own best interest. It is disappointing that this part seems to fell into snarky retorts too, because there were some legitimate means to discuss this.

For instance: Instead of barring from someone from being allowed to file a TRO, simply have an agreement in place that before any legal action like a TRO is filed, the customer will meet with the CA and a emergency mediator. Just take 30 minutes to one hour to see if you can work things out before the customer submits a TRO!

It seems logical, right? If a customer has the cycles to file for a TRO, they should have the time to spare talking to the company they are filing a TRO against. Explain a clear reasons to a mediator why the TRO is needed, and why they can't get it done in time. Assuming that the customer can explain all of that in clear terms, it would then be obvious for DigiCert to acknowledge that level of criticality and "exceptional need", and offer their customer an emergency, temporary exemption.

Neither side wants a TRO! It makes DigiCert look weak during an emergency, and it makes Alegeus (the company that filed the TRO) look incompetent, desperate, and underhanded.

The crux of what Tim Callan (Sectigo) was getting at, is that there needs to be a correction to DigiCert's policies. It's blaringly obvious. DigiCert were, in a way, "legally attacked" in a manner that should be prevented in the future, as best they can prevent it.

DigiCert lackadaisically shrugging their shoulders and saying "B-But...that goes against Mozilla policy!" is just deflection and meaningless. DigiCert can go to the trouble of sending legal council after Sectigo for comments on Bugzilla, but they can't use legal council to protect DigiCert from surprise TRO's? Really? Bugzilla feedback...that is the legal issue? Not DigiCert being sucker punched by their own customers?

The whole thing is just so aggravating. Both sides need to get over themselves and try to work together. They don't need to like each other, but they should do what is best for the industry. Each side sending out daddy lawyer to fight for them completely misses the point, and kills the chance for constructive feedback.