IIRC, that happened when it was not totally clear that a CA shouldn't be doing that. That incident made it clear that such a thing was in fact prohibited by Mozilla policy, and the CA in question revoked the cert. If it happens again, I would expect the CA (regardless of size) to be revoked—but at the same time, I would expect the big CAs to know they shouldn't even think of it now, which apparently they didn't know in 2012.
"WONTFIX" is the technical status of the Bugzilla bug, because there wasn't a code change, but it's clear that Mozilla took a policy action:
> I have posted a draft CA Communication in the mozilla.dev.security.policy forum for review/discussion. My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period. There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose.
(That also happened when the browser world was less good at dealing with bad CAs, in general)
It absolutely was a policy misunderstanding in 2012. It is no longer a misunderstanding, since it is now abundantly clear to CAs that they can't do that. It no longer stands.
As far as CA policy goes, 2012 was the very distant past. You might as well accuse Mozilla of poor judgment for allowing MD5 certificates in 2012, it would make as much sense.
The CA did the equivalent of purposefully putting their hand into a garbage disposal unit. You're telling me we should not reconsider them as a root CA because the unit didn't say "don't put your hand into this".
Honestly, I'm not sure how you plan to argue your way around a situation where I ended up with a rogue "mail.google.com" certificate accepted by my browser. That wasn't in the rules?! The CA wasn't clear on the policy for that?
... nobody had clearly explained to you what the specific transaction Trustwave got in trouble for was actually about.
Now you know, so "this will not stand" and "Trustwave stuck its hand in the garbage disposal" shouldn't be germane anymore. Once again: the whole point of those certificates is to sign domains the certificate owner doesn't control. They're sold only to giant corporations with huge amounts of insurance, and they're contractually obligated to ensure they're deployed only on the corporation's own network.
"WONTFIX" is the technical status of the Bugzilla bug, because there wasn't a code change, but it's clear that Mozilla took a policy action:
> I have posted a draft CA Communication in the mozilla.dev.security.policy forum for review/discussion. My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period. There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose.
(That also happened when the browser world was less good at dealing with bad CAs, in general)