That's because removing a CA certificate from its products for a policy violation will result in users not being able to access websites secured with certificates issued by that particular CA. Unless users will receive similar certificate errors in other browsers, they'll think it's a problem will Firefox and switch to something else, Shulman said.
Other people participating in the discussion on the mozilla.dev.security.policy mailing list don't agree that CAs should be offered a grace period. One argument is that companies engaged in man-in-the-middle SSL traffic inspection could simply stop doing it until they roll out an alternative solution.
Others feel that Mozilla shouldn't send a communication to CAs for the sole purpose of requesting disclosure of something that clearly violates their policy.
"Look, Mozilla has a policy, there is no reason to require something that doesn't comply to the policy anyway," said Eddy Nigg, CTO of StartCom and StartSSL in an email to the mailing list. "The policy hasn't changed and I'd advise Mozilla to apply its own policy, simply as that."