Pissing off Symantec customers is a necessary evil in this case. It's a sign that the strategy is working.

Some Symantec customers are in a position to file a complaint with Google well over the heads of the Chrome cert team. Some have many $millions of transactions dependent on Symantec certs, and aggressive legal staff.

Imagine if Chrome started reporting all Apple and Microsoft domains as insecure, with no warning. That's straying into very deep waters.

To be clear: I support Google's action against Symantec, and it is causing me to look at other CAs. But I need time to make an orderly change.

That would be a significant barrier to overcome.

It's not tortious interference with Symantec's business (who are still "free" to issue whatever they like).

Google is under no obligation and cannot or should not be coerced into saying "You have to accept Vendor A's CA so that they can continue to represent Vendor B's SSL certificate as 'secure'."

That's also very deep water that might result in some 'diplomacy' but with little actual legal position.

You can't compare Symantec with Apple and MS, since Apple and MS are competent.

If you think someone might sue Google, on what basis? And Google is more than capable of defending itself.

I agree about the time needed to make an orderly change, which is why I didn't propose that connections fail yet, only that they not be presented as secure in the UI.

Apple and Microsoft buy their TLS certs from Symantec. All their sites would be affected if Chrome abruptly stopped trusting Symantec certs overnight.

Imagine if everyone going to Apple.com in Chrome suddenly saw "site insecure" when they were trying to buy an iPhone--an area where Google is a direct competitor.