I think what Mozilla have done here is to provide an incentive for any other CAs who may have already done what TrustWave did to quickly own up, revoke the certificates, and promise not to issue any more.
If they'd immediately executed TrustWave, the incentive would be for any other CAs who've done the same thing to double-down and hide it, which would leave us in an overall worse position.
In other words, it's a temporary amnesty - a strategy which has a good history of working well.
While I don't generally buy the notion that this is carefully-calculated hardball on the part of Mozilla, I agree that immediate revocation isn't the only reasonable outcome here. What disappoints me the most is that the response leaves the unaccountable system of for-profit subsidiary CAs untouched.
Agreed. Any subsidiary CA should be meeting all the requirements imposed on the root CAs - and if they are, then they could simply be included in the browser root programs in their own right rather than paying another CA for a sub-CA cert.
If they'd immediately executed TrustWave, the incentive would be for any other CAs who've done the same thing to double-down and hide it, which would leave us in an overall worse position.
In other words, it's a temporary amnesty - a strategy which has a good history of working well.