Well, if I'm connecting to www.google.com or gmail.com, then I have to trust Google anyway - so google can do anything anyway, but the infrastructure needs to ensure that, say, Russian government can't do MITM without cooperation from Google itself.
The same is for www.thatserviceIreallytrust.com. There should be a trivial, accessible by default way to whitelist them in a way that noone else can make a new 'valid' certificate for them.
The same is for www.thatserviceIreallytrust.com. There should be a trivial, accessible by default way to whitelist them in a way that noone else can make a new 'valid' certificate for them.