Then they must be removed.

It's also one of the reasons why I find it so annoying that I can't disable CAs in iOS and Android trust stores manually.

It appears disabling trust roots is possible on my samsung Android at least.

So assume they're removed.

As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?

Easy answer. If you are not comfortable with the basic requirements that each and every CA in the PKI is required to follow, you should host your own PKI and manage trust yourself as well.

> As it happens, one of the unwilling customers is the police force where I live. I can tell you what the police would have answered: "We're supposed to take down the police servers outside our normal schedule for a problem that does not affect us? Are you serious?" How do you suggest that the next CA should answer?

Should have picked a CA that can follow fundamental rules that apply to every CA that wishes to be trusted, shouldn't have fucked around and found out,