11 What happens if a CA is removed from the list of

11.1.1 If for whatever reason a CA is removed from the list of accredited CAs, the following chain of actions must occur.

11.1.2 We will determine a "termination" date at which the certificates should no longer be trusted by S.E.E. Applications. The date may be "today" if existing certificates cannot be trusted, for example if the CA's private keys have been compromised; or may be in 12 months' time, if for example the CA's infrastructure is operational but we wish to cease doing business with the CA.

11.1.3 S.E.E. Application owners will be asked to remove the CA from their trust lists on the termination date.

11.1.4 S.E.E. PKI agencies will be asked to stop purchasing certificates from the CA immediately or within a short time frame. The agency will need to establish a new relationship with another accredited CA (assuming there is another accredited CA on the list).

11.1.5 The agency will need to replace existing certificates with those from the new CA. This can be done as they expire, if the "termination" date for the previous CA is sufficiently far off, but if currently issued certificates do not expire till after the "termination" date, these will need to be replaced in bulk ahead of expiration.

11.1.6 Note that migration from one CA to another would be expensive, time consuming and potentially disruptive to business.