Having read through the entire thread twice now, I cannot shake the impression that Telekom is persistently trying to avoid implementing any meaningful mitigation procedures themselves.
Across the entire thread they communicate under the assumption that
- they didn't make any mistake in delaying the revocation,
- they should be able (given enough insistence from their customers) to do so again at their own discretion in the future, and
- their inadequate handling of the incident and their apparent laissez-faire approach to the requirements for a CA should be accepted and deemed satisfactory by everyone else.
This combination feels unnecessarily complicated to me, at least for most of the use cases shown.
Suppose we want to style a list differently if it has five or more items. Since :has can detect any child element, the existence of a fifth item is a sufficient indicator that there are at least five items. So instead of ul:has(li:nth-last-child(n+5)), we could just use ul:has(li:nth-child(5)) which is quite a bit clearer in my opinion.