10 What happens if a CA does not perform after being

10.1.1 If a CA's performance does not meet the requirements of our CP we have recourse to several actions.

10.1.2 Firstly of course we should try to rectify the matter informally, then follow a formal process, and ultimately, if necessary, remove them from the list of accredited CAs.

10.1.3 If there is a significant problem with the CA's operations that appears to undermine the security of the PKI, we can immediately ask S.E.E. PKI Application owners to remove the CA from their trust lists. Users with certificates issued by this CA will no longer have access to the application.

10.1.4 If the certificates were being used for non-S.E.E. purposes, in some cases it would be prudent to "suspend" the certificates making them unusable by applications that check certificate status.

10.1.5 We could have a sliding scale of penalties including any or all of the following:

• Have the CA "put right" the matter at the CA's expense, including compensation to agencies;

• Invoke a third party audit (e.g. WebTrust for CAs), at the CA's expense;

• Invoke an audit to S.E.E. PKI CP, at the CA's expense

10.1.6 Due to the small scale of the S.E.E. Key market, it is likely that invoking some of these penalties may have a substantial financial impact on some CAs.