The last time this happened, Mozilla issued a statement that they would no longer allow CAs to issue CA=TRUE intermediate certificates for this kind of purpose, that any CAs doing so should immediately revoke them and come forward immediately, and that any CA not doing so within a given grace period (IIRC a few months) would be removed when discovered. That grace period has long since passed. So why is the intermediate certificate being removed but not the top-level CA that knowingly issued it?

Google's Chrome and Mozilla's Firefox browsers will stop trusting all new digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains.




Google Revoking Trust In CNNIC Issued Certificates