Google is explicitly whitelisting the legitimate end-user certificates CNNIC has issued, and then revoking the root.
Basically they had to hand over a list of all issued certificates, Google reviewed them, and CNNIC can't issue any new ones without asking Google to whitelist it.
Basically they had to hand over a list of all issued certificates, Google reviewed them, and CNNIC can't issue any new ones without asking Google to whitelist it.