Root certs don't let you decrypt content encrypted with a descending cert. They just let you issue new certs that'll be considered valid. So, a MITM could send a client a compromised cert in the hopes that the client will encrypt content with it (after accepting it as valid due to it validating up the cert chain to root), but Chrome's certificate pinning is specifically designed to detect this class of attack - it is how the compromised Turkcert certs were discovered.
Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.
Even if you hold the root certs and can issue attack certs that validate up the cert chain, you can't MITM a cert-pinned client. In order to attack a cert-pinned site, the NSA would have to inject their own certs into Chrome's cert store, or have Google's private cert keys. Either would require compliance from Google.