They had a contractual agreement w/ MCS Holdings which almost certainly said they wouldn't do something like this. Since they did, CNNIC can say "they promised they wouldn't" and absolve themselves of responsibility.
Of course, MCS Holdings can then just change their name or create a new company or whatever, get a new agreement (with CNNIC or another Root CA) and continue on.
If CNNIC decides it wants to rent out their trust bits like this, they need to realize they are putting their trust on the line. Any actions performed by sub-CAs under their trust authority should be their responsibility. They need to re-evaluate if taking money to rent their CA bits is worth the stakes.
The alternative is that it's a free-for-all for everyone in the trust store. Cash in selling sub-CAs and shrug if they get caught? Really?
Not removing CNNIC just says that other CAs won't be punished, either. Like Comodo.[1]
Browsers should start considering scoping CAs by default. If CNNIC signs, say, a Mexican domain, that might be cause for suspicion. It's a bit more complicated since .com and others are sorta generic. But there's gotta be something that can limit exposure for many customers. How many US users often run into CNNIC, or those South American CAs?
1: On one of their sales calls, I told them they failed at the one thing they were supposed to do as a CA. Without missing a beat, the guy shifted to trying to sell me antivirus software.
Adopting a zero-tolerance policy for CAs that are bad actors (including those that allow others to have their full power who themselves act as bad actors) and removing their root certificates from trust stores would create a substantial disincentive for CAs to be bad actors.
Yeah, I can't believe the "oh, that's OK, a silly bureaucratic snafu, boys will be boys" response from Google. But at least they told us, they didn't sweep it under the rug.
I would have preferred the Pulp Fiction version. Google should have instead said to CNNIC:
You hear me talkin', hillbilly boy? I ain't
through with you by a damn sight. I'ma get
medieval on your ass.
Could, but would? At least ban the ones that are proven to be untrustworthy. Otherwise the entire concept of a trust store is a joke and a racket to print money (certificates)
