CNNIC issued the intermediate to someone who was doing non-consensual, large-scale SSL MITM. CNNIC evidently didn't realize that's what they were doing, and possibly the company didn't either (and just accidentally MITM'd their own technician's connection to Google during testing -- not that this makes the story better), but in either case CNNIC should not have issued a non-HSM cert and they should have vetted the technical competence and goodheartedness of the customer. Furthermore, they said they were not issuing intermediates, and had not updated their certification practices statements before entering this "experimental" business.
In the Symantec case, the private key in question remained with Symantec at all times, with employees who legitimately had access to the EV certificate authority as part of their job, in the course of testing. It was never exposed to anyone outside the CA.
CNNIC sold a valid, unconstrained intermediate private key to a completely unqualified customer and had organizational troubles at all levels. We were lucky that the customer was also incompetent, and just got caught. Symantec had a few employees make a mistake internally, and at no point could anyone malicious (other than potential malicious employees) threaten internet security. And those specific employees got fired.
Link to this? The story was that they issued it to some v Egyptian company that wanted to run a CA. This company was incompetent and didn't have an HSM. They did have a Palo Alto MITM box that had "CA capabilities", so they used that. Then an engineer at this company plugged his machine into the MITM port, loaded Chrome and tada.
Utterly incompetent and against the CA rules. But not large scale or non-consenual MITM right?
Oh, yeah, you're right. They put their globally valid, unconstrained intermediate cert in a device whose primary purpose is large-scale SSL MITM, and they MITM'd themselves without realizing it, but yes, they weren't intending to do large-scale non-consensual SSL MITM. I'd forgotten the part where they were planning on using the device as a way to issue normal certs and ignoring the MITM capabilities.
Seeing as how using a trusted CA to do MITM isn't even remotely a valid business plan or idea, I think it's quite possible that they were incompetent enough to use any piece of hardware, yes. It's actually better for the world if they were planning to do MITM, as they'd have been caught so fast and their plans killed so quickly itd be funny. As-is it's just luck that they messed up.
It's different because this was "internal testing" and the certificate wasn't used (at least, this is not mentioned). CNNIC issued a CA cert to some random intermediary. Slight difference in severity.
