Not removing CNNIC just says that other CAs won't be punished, either. Like Comodo.[1]
Browsers should start considering scoping CAs by default. If CNNIC signs, say, a Mexican domain, that might be cause for suspicion. It's a bit more complicated since .com and others are sorta generic. But there's gotta be something that can limit exposure for many customers. How many US users often run into CNNIC, or those South American CAs?
1: On one of their sales calls, I told them they failed at the one thing they were supposed to do as a CA. Without missing a beat, the guy shifted to trying to sell me antivirus software.
Browsers should start considering scoping CAs by default. If CNNIC signs, say, a Mexican domain, that might be cause for suspicion. It's a bit more complicated since .com and others are sorta generic. But there's gotta be something that can limit exposure for many customers. How many US users often run into CNNIC, or those South American CAs?
1: On one of their sales calls, I told them they failed at the one thing they were supposed to do as a CA. Without missing a beat, the guy shifted to trying to sell me antivirus software.