That sounds like a great state of affairs, if people actually raise challenges to such laws, and win. I would love to see such overreaching attempts tied up endlessly in litigation, ideally with associated PR to make sure that the visible actions are all portrayed as a mess associated with the officials supporting such overreach in the first place.

I'd rather see overreach stopped before it starts, but in the absence of that, I'd like to see it stopped by any means we have, including civil disobedience and litigation.

In this context: remove CAs that issue MITM certificates, and loudly and repeatedly say "So you're prosecuting us and demanding that we include a known-insecure CA that's used to make the Internet less secure? Is that what you'd like to say to these cameras, the entire Internet, and people who will see this played repeatedly while they decide whether to vote for you in the next election? Or would you like to drop this?"

I mean, what's the alternative? We see people here complain every single day about unilateral action taken by Google and the like. Which is better, to have to deal with the rule of laws written by an elected body in a court, or to shout into the wind at a corporation?

>We see people here complain every single day about unilateral action taken by Google and the like.

While that's true to some extent, I don't find that to be the case in this specific area (ie. trust store and/or encryption). Are the browser vendors unfairly applying rules (ie. favoring incumbents)? Are their requirements too arduous? Are they not revoking bad CAs? It's not clear what this regulation is supposed to solve.

Third option: work with a transparent Open Source organization that processes CAs on the basis of keeping the Internet secure, where nation-state-level interception is considered part of the threat model.