Can you explain what you mean a bit more? My connection to eg my bank isn't decryptable by anybody but me and my bank (and their CDN which is serving their certificate). That is, eg, Verisign has root CA keys to sign the cert, and they could give me a cert that says they're my bank and I could make a new connection that they could decrypt, but the original connection to my bank can't be decrypted by their keys.