[jcranmer]

Mozilla has revoked the CA certificate moving forward. Already-issued certificates are unaffected, to allow current customers time to migrate to a more reputable CA. If they were to immediately revoke the current roots, then thousands of sites would suddenly report certificate errors--which would train users to click through them, helping nobody.

The axe Mozilla is holding over WoSign is the threat of immediate full revocation if WoSign is caught doing backdating again. Given that WoSign has been coerced into cooperating with publishing all CSRs via Certificate Transparency, and that there is likely to be a much larger group of people watching carefully for violations, I don't expect it to take very long for future backdated certificates to be caught if WoSign does try it.