Let's say you are the UK government, and you want to be able to intercept and decrypt any TLS connection. You could try demanding the private encryption keys from all secure web sites, but sites outside the UK are unlikely to comply. So instead, you set up your own Certificate Authority (CA), which allows you to mint your own security certificate for any site on the net. This, along with cooperation from UK ISPs, allows to intercept and decrypt secure web traffic.
But, there's a problem. All this only works if browsers trust your new CA. So you mandate that all browsers downloaded or installed on new devices in the UK must trust your CA. Problem solved.
Except, not quite. There are various emerging technologies designed to allow web sites to pin their certificates to a particular CA, to avoid just this kind of attack. So you must also require browser makers to role back their support for features like certificate pinning, or at least include an exception for your own pet CA.
Now you can tap any encrypted web connection originating from the UK. Well, except for all the people who were able to obtain the non-UK version of their favorite browser, and also those people who route all their traffic through a VPN with its endpoint outside the UK, but ignore those criminals for the time being.
But now there's another problem. That Certificate Authority you set up? Well, it turns out the people you hired to run it were not entirely honest about their level of expertise, and they're running into problems they can't solve. When you finally get someone competent to look into it, she discovers that the machine containing your root certificate has been thoroughly compromised, meaning some unknown third party now has the ability to create certificates that appear to come from your CA.
This sort of thing happens from time to time (anyone remember DigiNotar?). In fact, it is one of the major problems with the current security architecture of the web. When it does happen, the major browser makers usually try to limit the damage by releasing an update that blacklists the compromised CA. But in this case, they would be legally prevented from doing that. So now you have a root certificate which browser makers are legally required to trust, and which is in the hands of an unknown individual or organization.
]]>