[huhtenberg]

For what it worth, the support for this sort of MITM was the feature du jour among "unified security" appliance vendors back in 2003-04. Basically the idea was that the corporate IT department would install an additional CA certificate on all company's computers and this would enable the appliance to access raw data of SSL/TLS streams going in and out of company's networks. The purpose was benign and it was to scan downloads for viruses and malware.

I do not doubt for a second that any reasonable national cybersecurity agency has this functionality readily available, utilizing one of the CA certificates bundled with common OSes. Whether they are actually using it and to what extent is another question, which ties into political implications should someone detect the certificate forgery.