No, I find that pretty damn hard to believe. Especially considering where it's coming from.
You don't accidentally do anything with an unconstrained CA key chained from the public root: that is a serious piece of data that can MITM anyone worldwide so at the very least should be under lock and key at all times! [It definitely shouldn't be plugged into any network: it should be locked in a Faraday-caged safe, on a dedicated hardware device, ideally under armed guard. You sign your operational CAs with that.]
CNNIC fundamentally broke their CPS: it has no intermediate programme, yet it intentionally misissued (at least!) one CA anyway. That is easily enough to get them pulled from everywhere, in line with current practice.
It's a pretty good demonstration of why we need something like CT, and (IMO) a public list of all intermediaries ever issued from any active CA.
Yeah, to be clear, I think this was inexcusable, even if it wasn't outright malice, and that expulsion is the obvious right answer.
But what's the alternative story? Someone knew what they were doing, wanted to MITM some users, and got a ... three-week-long intermediate certificate? (Which is far shorter than any online intermediate CA has, and those are plugged into networks, although probably also under armed guard.) And tipped their hand to Google barely a week in? Knowing that there was a serious risk to CNNIC being killed off from the roots if anyone at all noticed?
If CT has the benefit of informing bad actors that they'll be found out, then it's certainly a major one, but I find it hard to believe that anyone trying to MITM actual users wouldn't already be aware that Google is already doing this, and Chrome snitches on certs that verify but don't match hard-coded pins (e.g., for Google's own websites). This is exactly how the last MITM or two got caught.
I think the concern here is not that MCS made a mistake, but rather, CNNIC said they wouldn't do something and then knowingly did so. Whether they had good intentions or not is irrelevant. They made a public promise they wouldn't issue intermediate CAs, did so for money and the result of that must be at least temporary revocation. Otherwise the whole notion of trust collapses.
You don't accidentally do anything with an unconstrained CA key chained from the public root: that is a serious piece of data that can MITM anyone worldwide so at the very least should be under lock and key at all times! [It definitely shouldn't be plugged into any network: it should be locked in a Faraday-caged safe, on a dedicated hardware device, ideally under armed guard. You sign your operational CAs with that.]
CNNIC fundamentally broke their CPS: it has no intermediate programme, yet it intentionally misissued (at least!) one CA anyway. That is easily enough to get them pulled from everywhere, in line with current practice.
It's a pretty good demonstration of why we need something like CT, and (IMO) a public list of all intermediaries ever issued from any active CA.