At this point I feel like we need to simply remove Chinese root CAs from trust stores and have user's opt-in to allowing certificates issued from china. I realize that any CA can be mismanaged, but the risk of Chinese government hands in things like this seem too high to me.
Edit: I have no delusions that this is not happening in the US, it is simply that as someone in the US, I don't have any options to lop off CAs that the US could influence. I can however make the decision to not trust some foreign CAs entirelly.
You can always remove CNNIC from your own trust store. Saying they should be removed from all trust stores would rather annoy people actually in China, I'd assume.
I wonder if certificate transparency could be mandated for intermediate certificates sooner than a full DV rollout could. It seems some CAs can't quite resist bending the rules when a sweet contract is dangled in front of their faces. It makes me wonder how much CNNIC was being paid to do this. Given that MCS Holdings sells "security products" it makes me wonder if this was an attempt to do or prepare to do bulk SSL stripping. I guess the blog post says there was no evidence of abuse though, so I guess not.
Not this particular attack, as this was a test intermediate only valid for 2 weeks, but the attack was limited to an internal corporate network. For other cases it would allow browser vendor to demand audit reports for example.
So, as mentioned in the first link, client audits via the browser would do absolutely nothing during an attack:
"None of CT’s proofs (audit or consistency proofs) will detect mis-issuance of a certificate by a rogue CA, not even if gossip of STHs (signed-tree-heads) successfully occurs [1]"
And that's for today's attacks. In the section before that paragraph, another attack is demonstrated that also cannot be prevented by CT's audit proofs.
That's a little over the top, especially considering USA's efforts in this regard. Following this logic, the majority of CA's have some kind of connection to abuse, so certificate transparency is the sensible way to detect this anomalies in future.
Edit: I have no delusions that this is not happening in the US, it is simply that as someone in the US, I don't have any options to lop off CAs that the US could influence. I can however make the decision to not trust some foreign CAs entirelly.