[advisedwang]

CAs don't have the private keys to the certificates they sign, so this doesn't compromise issued certs.

The ability for CAs to issue extra certs to governments to enable MITM has been reduced a lot by CAA and HPKP.