[malloc2x]

You must assume that the NSA already has master keys for all domestic CA root certificates, and given how many were hacked recently, foreign ones too. In which case SSL traffic is effectively the same as plaintext to them.

The solution could be a distributed CA system like http://convergence.io/

[karlmdavis]

Is this correct? Wouldn't they still need all of the leaf private keys to decrypt things?

My understanding was that having a CA's private key just enables someone to issue new child keys for that CA. That vulnerability could be addressed with certificate pinning.

[malloc2x]

To decrypt after-the-handshake bytes I think you're right, they would need a leaf private key.

However, they absolutely can mount a MITM with the CA root.

EDIT: Further, if they can compel a master key then they can also compel a copy of all the private keys the CA generates.

[juhanima]

Not quite sure what you mean, but for the record, as a general rule CAs do not generate keys. They just sign the public keys coming in as Certificate Signing Requests. Without ever seeing the accompanied private key.

[jeltz]

Perfect forward security should prevent the master key from working.