Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom?

Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

I'm Confused

[MightyMartian]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

It's not that bad.

[narcc]

It's a system built on trust. If a CA is anything less than completely trustworthy, it's useless. A year long suspension looks like a slap on the wrist, when the obvious action is to drop them completely.

The entire security of the internet

[surfdaddy]

...depends upon the flawed root CA system. These companies have repeatedly failed to do their primary job of cooperating with established rules and protocols. They've failed to report breaches, they've issued certificates erroneously for other domains and then not reported it. This has been done repeatedly, and is the PRIMARY function of a CA. I don't consider it "draconian" at all, it seems pretty charitable for their timeout to be only one year instead of permanently. It's also an example to other certificate authorities that the rules actually have some teeth.

Draconian?

[penguinoid]

What's draconian about not trusting someone proven to be untrustworthy? Is it because their only job was to be trustworthy?

Not enough

[b1ng0]

In my opinion, this does not go far enough. These entities are in the business of trust. Once you break that trust ONCE, it should be game over! No warnings, slap on the wrist, suspensions or other nonsense. You break that trust and you should be removed permanently.

What?

[nyet]

As if WoCom and Startcom are any less trustworthy than the rest of the despicable commercial CA signers.