The 30 000 certificates don't have any documentation. The BRs require that a CA keeps documentation showing how they validated the Subject, because without that any CA could issue anything and then say "Er, I forget why, but it was definitely OK" and who can prove they were wrong?
CrossCert wasn't able to produce any documentation for the certificates they got Symantec to issue. Maybe their dog ate it, or they kept it in the Recycle Bin on somebody's laptop and then mistakenly hit "Empty" one day. Most likely they simply never created the documentation at all, because Symantec had never asked them to produce it, so why bother?
But that means we have no reason, other than a general sense that CrossCert appear to have been incompetent rather than malevolent, to believe any of those certificates was actually validated. On that basis they're mis-issued, and so Symantec revoked them.
The 127 certificates discovered by investigators are clearly bogus, some aren't even for valid domain names, but the thousands of others weren't magically fine - we have no idea, and not having any idea is itself unacceptable.
It is true that Symantec shut down their entire RA partner programme (the relationship with CrossCert and half a dozen others) without explicitly being told to do that, and personally I felt that might be enough, but Google clearly don't see it the same way.
CrossCert wasn't able to produce any documentation for the certificates they got Symantec to issue. Maybe their dog ate it, or they kept it in the Recycle Bin on somebody's laptop and then mistakenly hit "Empty" one day. Most likely they simply never created the documentation at all, because Symantec had never asked them to produce it, so why bother?
But that means we have no reason, other than a general sense that CrossCert appear to have been incompetent rather than malevolent, to believe any of those certificates was actually validated. On that basis they're mis-issued, and so Symantec revoked them.
The 127 certificates discovered by investigators are clearly bogus, some aren't even for valid domain names, but the thousands of others weren't magically fine - we have no idea, and not having any idea is itself unacceptable.
It is true that Symantec shut down their entire RA partner programme (the relationship with CrossCert and half a dozen others) without explicitly being told to do that, and personally I felt that might be enough, but Google clearly don't see it the same way.