Is there an easy way for me to revoke trust from all Chinese CAs? Anyone in China is ultimately subject to being forced to do the dirty work of the Chinese Communist Party. Why are browser and OS vendors even trusting them in the first place?
I untrusted all Chinese-sounding CAs from "System Roots" under "Keychain Access" in OSX as soon as I got my laptop. That's what Chrome and Safari verify against.
That wouldn't have helped you in this case -- WoSign doesn't even show up in the OS X or Windows root keystores. Its certificates are (apparently) signed by StartCom.
I just blacklisted StartCom's root certs. IMO for signing off on WoSign they're just as guilty, if not worse, than WoSign itself. Since they're the ones with the root cert in the OS, the buck stops there.
I attempted to remove all StartCom certs from the OS X keychain, apparently you can't do it even as root. You have to boot into the recovery partition first.
I can't remember whether it was MacOS or Windows, but at least one OS will sometimes re-install a 'standard' CA certificate if you delete it. Setting 'never trust' is the most reliable way to kick out the CA as it ensures that it stays out.