There have been fradulent certificates in the wild in the past but the CAs doing it usually get kicked out pretty quickly. That's what Google's certificate transparency project is for. And they are increasing requirements further and further. Hopefully one day we'll get to a state where the infrastructure of multiple independent companies in different countries needs to be compromised in order for one successful forgery. But even now certificate transparency has greatly reduced the number of entities able to forge certificates.
“Verisign also operates a ‘Lawful Intercept’
service called NetDiscovery. This service is
provided to ‘... [assist] government agen-
cies with lawful interception and subpoena
requests for subscriber records.’
If you now try to search for NetDiscovery or LEA services for CAs, you won't find any, but I guarantee you they haven't disappeared anywhere.
The CA doesn't have anything that helps you do Lawful Intercept. They just vouch for people's identities.
If you can persuade them to fraudulently vouch for your agency as being some other subscriber then this unavoidably produces a smoking gun which everybody can see, just like when Israel produces fake passports so its agents can travel abroad to murder people.
It doesn't let them passively intercept. The CA could not, gun to its head, help you do that. The mathematics just doesn't work that way, any more than the US Federal Reserve could intervene to make three dollars twice as many as five dollars.
This means that fradulently issued certificates either won't work, or will be contained in public logs run by Google (or Google needs to be forced by authorities as well).
I don't consider a cert trustworthy just because it's signed by a CA, unless that CA is mine or one run by someone I personally know and trust. I came to this position before Snowden, though.
> A signed cert has to depend on someone you dont know.
No, it doesn't. If it's signed by my own CA, then I clearly know who signed it. Likewise if it's signed by a CA run by someone else I actually know.
The point of the signing is to have someone I trust validate that the cert they signed is trustworthy even if I don't know the entity that made the cert they signed.
I feel like Namecoin and Ethereum Name Service are the most promising replacements for certificate authorities that I'm aware of. Are you aware of any better suggestions?