You can always remove CNNIC from your own trust store. Saying they should be removed from all trust stores would rather annoy people actually in China, I'd assume.
I wonder if certificate transparency could be mandated for intermediate certificates sooner than a full DV rollout could. It seems some CAs can't quite resist bending the rules when a sweet contract is dangled in front of their faces. It makes me wonder how much CNNIC was being paid to do this. Given that MCS Holdings sells "security products" it makes me wonder if this was an attempt to do or prepare to do bulk SSL stripping. I guess the blog post says there was no evidence of abuse though, so I guess not.
Not this particular attack, as this was a test intermediate only valid for 2 weeks, but the attack was limited to an internal corporate network. For other cases it would allow browser vendor to demand audit reports for example.
So, as mentioned in the first link, client audits via the browser would do absolutely nothing during an attack:
"None of CT’s proofs (audit or consistency proofs) will detect mis-issuance of a certificate by a rogue CA, not even if gossip of STHs (signed-tree-heads) successfully occurs [1]"
And that's for today's attacks. In the section before that paragraph, another attack is demonstrated that also cannot be prevented by CT's audit proofs.
I wonder if certificate transparency could be mandated for intermediate certificates sooner than a full DV rollout could. It seems some CAs can't quite resist bending the rules when a sweet contract is dangled in front of their faces. It makes me wonder how much CNNIC was being paid to do this. Given that MCS Holdings sells "security products" it makes me wonder if this was an attempt to do or prepare to do bulk SSL stripping. I guess the blog post says there was no evidence of abuse though, so I guess not.