Yeah, to be clear, I think this was inexcusable, even if it wasn't outright malice, and that expulsion is the obvious right answer.
But what's the alternative story? Someone knew what they were doing, wanted to MITM some users, and got a ... three-week-long intermediate certificate? (Which is far shorter than any online intermediate CA has, and those are plugged into networks, although probably also under armed guard.) And tipped their hand to Google barely a week in? Knowing that there was a serious risk to CNNIC being killed off from the roots if anyone at all noticed?
If CT has the benefit of informing bad actors that they'll be found out, then it's certainly a major one, but I find it hard to believe that anyone trying to MITM actual users wouldn't already be aware that Google is already doing this, and Chrome snitches on certs that verify but don't match hard-coded pins (e.g., for Google's own websites). This is exactly how the last MITM or two got caught.
I think the concern here is not that MCS made a mistake, but rather, CNNIC said they wouldn't do something and then knowingly did so. Whether they had good intentions or not is irrelevant. They made a public promise they wouldn't issue intermediate CAs, did so for money and the result of that must be at least temporary revocation. Otherwise the whole notion of trust collapses.
But what's the alternative story? Someone knew what they were doing, wanted to MITM some users, and got a ... three-week-long intermediate certificate? (Which is far shorter than any online intermediate CA has, and those are plugged into networks, although probably also under armed guard.) And tipped their hand to Google barely a week in? Knowing that there was a serious risk to CNNIC being killed off from the roots if anyone at all noticed?
If CT has the benefit of informing bad actors that they'll be found out, then it's certainly a major one, but I find it hard to believe that anyone trying to MITM actual users wouldn't already be aware that Google is already doing this, and Chrome snitches on certs that verify but don't match hard-coded pins (e.g., for Google's own websites). This is exactly how the last MITM or two got caught.