[tptacek]

Attribution back to NSA isn't the big problem. Operations is the problem.

You can't forge certificates without associating them with some specific CA.

If you forge a certificate for a pinned site, you risk detection.

If HPKP is widely deployed, every site could have that risk.

Unless you've popped all the CAs, the browser vendors can respond to detected forged certificates by curtailing the compromised CA. Meaning the NSA has to compromise another CA to continue their activities.

There aren't unlimited CAs to work with.

Stipulate that NSA doesn't care if attacks are attributed to them. Certificate surveillance is still an operational problem for them.