I don't think they need to get one; Take a look at the CAs are in your browser. Do you implicitly trust all of those organizations and governments? It doesn't matter if you do as your browser already does.
Obviously, if they can install additional Root CAs, they have enough access to do absolutely anything as your user on your maxhine, including installing trojaned versions of all your apps. That isn't the issue gp was discussing.
