This is getting circular. I'm fully aware of the purpose of these certificates. The discussion was "did Mozilla make the right decision in excusing a CA that essentially decided to create an extra root CA". The result was a rogue google certificate in the wild. I guess browsers don't care that it was only intended for proxying employee traffic, after all.
I certainly think that in the circumstances, no, they did not. The Mozilla CA policy isn't some legally binding document. They are free to change it and still death-penalty whoever was ultimately responsible for these rogue certificates.
I'm not sure what you expect from Mozilla. It would be nice if there was a way to instantaneously kill a CA and ensure all of its issued certificates continued to work, so that a big chunk of the Internet wouldn't suddenly break. If that capability existed, Mozilla or Google could nuke CAs left or right without even checking the Basic Requirements. But it doesn't, and so the process for handling CA inclusion is done by the book.
In this case, the book said "I guess proxy MITM CA=YES certificates are fine, as long as you're careful".
We're getting to the root of the issue after all. Mozilla simply wasn't prepared to nuke a popular CA unless Google and Microsoft joined in to the fun.
Policy was just the excuse. We saw what happened with CNNIC. Coordinated press releases.
I don't know, it seems like, however unprepared anyone is to nuke a popular CA, they're going to be even less prepared if that CA didn't actually violate the policy.
You keep writing as if it's common sense that the policy should say "nobody can issue CA=YES certificates to enterprises". But while I agree strongly that they shouldn't, this is not common sense. The certificates that Trustwave sold were never deployed on the public Internet, and their disclosure outside of whatever giant bank bought them would presumably have been accompanied by massive civil liability.
The policy didn't mention this behavior not because it never occurred to anyone to ban it, but because it was overtly, actively thought to be OK, by pretty much every stakeholder, until browsers started getting better at monitoring certificate issuance.
Really, the simple truth is: you have Google to thank for pretty much every positive shift in norms about SSL/TLS CAs. Until they built the team they have doing this today (which is amazing), certificate issuance was --- not hyperbolically, but actually, factually --- the lawless wild west.†
Do I wish they'd built that team a few years earlier? Yes, of course. I also wish heap and integer overflows were better known in the early 90s. You can't always get what you want.
† The Google team will pointedly add that we should be thanking the Mozilla team for the work they've been doing on keeping a coherent CA policy and trusted root set going all these years; as you can see from this thread, it's a thankless task. I don't agree with all of Mozilla's decisions, but if you throw down in a m.d.s.policy thread about them being incompetent or ineffectual, be prepared to have people who have forgotten more about certificate issuance than you've ever learned give you some pretty vivid comparisons to how other certificate stores have been managed all this time.
I certainly think that in the circumstances, no, they did not. The Mozilla CA policy isn't some legally binding document. They are free to change it and still death-penalty whoever was ultimately responsible for these rogue certificates.