Adopting a zero-tolerance policy for CAs that are bad actors (including those that allow others to have their full power who themselves act as bad actors) and removing their root certificates from trust stores would create a substantial disincentive for CAs to be bad actors.
Yeah, I can't believe the "oh, that's OK, a silly bureaucratic snafu, boys will be boys" response from Google. But at least they told us, they didn't sweep it under the rug.
I would have preferred the Pulp Fiction version. Google should have instead said to CNNIC:
You hear me talkin', hillbilly boy? I ain't
through with you by a damn sight. I'ma get
medieval on your ass.
