I mentioned the .cn government (and their root CA(s)) because the article mentioned the .cn government, specifically, and the parent comment mentioned "any government that controls a CA".

Obviously, any government with a) control over a root CA and b) control over their entire country's Internet access could carry this out. The article we're commenting, however, called out .cn by name.