The solution for big banks is the orderly failure. Things like bail-in, where a bank is required to be able to go through a flash chapter-11 process over a week end. Or the "living will", basically the bank preparing a contingency plan in advance if it needs to wind down its activity.
In the CA world, I would assume this would require a standard protocol across CA to request, renew and transfer certificates from CA providers automatically. A sort of commercial version of the ACME protocol. But that requires lots of infrastructure change not just on the CA side, all servers would have to be updated.
This is long overdue anyway. It is currently way too complex to request, install and keep updated a certificate. And there isn't enough competition in this market.
Transferring certificates from an untrustworthy CA makes no sense. Burn the certificates. Websites should just obtain brand new ones from a different CA. If you are running a website that's important to you, this should be at most a one hour operation (or, if politics and procedures delay you in obtaining a new cert, maybe you should have planned ahead and kept two different certificates on hand already)
By transferring I meant re-issuing automatically a new certificate, not keeping the signature. Of course this requires to re-authenticate the request. And that process has to be automated. A bit like the renewal of the certificate should also be automated.
No, existing certificates should not be reissued. We can't trust that they were issued to the rightful owner originally by the failed CA. Clients should request new certificates and validate their ownership from scratch.
Getting a certificate is an hour's work tops if you are doing the csr dance manually. If you use ACME and letsencrypt it's done in seconds.
EV certificates are more work but if this matters to you then perhaps you should source multiple certificates to begin with, or act quickly when a CA is dropped (I'm sure browser vendors will give at least a few days notice)
Edit: Maybe I misunderstood you. If you just meant that software in general should offer requesting certificates from any provider, then sure, why not just use ACME. CertBot appears to be designed with multiple providers in mind. But this doesn't really have much to do specificially with the case of CAs being dropped from the root. (At first I got the impression you wanted other CAs to "bail out" certificates from the revoked CA)
The validation requirements for 'Extended Validation' certificates can be onerous - complete with in-person ID checks, and photocopies of passports and driving licenses signed by public notaries. I'm not sure automated transfers would be possible.
I suppose you could downgrade on automatic transfer. I've heard people question the value of EV certs, and certainly a working DV cert is better than a revoked EV cert. Or you could insist every EV cert applicant verify their identity with two different CAs.
In the CA world, I would assume this would require a standard protocol across CA to request, renew and transfer certificates from CA providers automatically. A sort of commercial version of the ACME protocol. But that requires lots of infrastructure change not just on the CA side, all servers would have to be updated.
This is long overdue anyway. It is currently way too complex to request, install and keep updated a certificate. And there isn't enough competition in this market.