[Sanddancer]

Less difficult. Setting up a private CA means you have to be the CA, and vet and/or create a cert for every wosign/startcom site that people visit. One could trust them just enough depending on how heavily they depend on affected sites. I personally would rather whitelist sites as-needed, but can see why some admins would go the easier route.

[0x0]

Existing certs will continue to work until they expire. So "re-adding trust" to WoSign doesn't make sense. No sane site operator would renew their cert with WoSign since they will lose all Firefox and Apple clients.

[Sanddancer]

I wasn't saying it was a sane way to do it, just the easiest. I could also see it turning into a nationalism issue -- "The West is unfairly attacking native CAs." -- as impetus to try to convince people to manually trust and/or renew certs with them.