What "stops" them (to the extent that anything stops a government that is ignoring their own laws) is that the agreements CAs sign with browser/OS makers don't have any provision for issuing fake certs just because a government requested it or compromised the key.
That means if anyone found evidence that a CA was issuing bogus certs (such as one of those certs), that CA would be revoked and bankruptcy would follow soon after. The fact that they were just obeying a court order wouldn't be considered relevant by the browser makers, especially if it's an obscure and little used one.
There are other forms of punishment beyond outright revocation. A CA owned by the French government did something bad at some point (I forgot what), and instead of total revocation they were name constrained to .fr
But basically, forcing CAs to co-operate with you against the contracts they've signed is a very limited strategy. Most governments outside the US government can only do it once or twice before there are no more CAs left in their jurisdiction. Not to mention the legal mess that would result from a company beyond forced to commit suicide to help an intercept operation.
ANSSI if I remember correctly, and one of their intermediate CAs issued an intermediate that was installed in a MITM device. They seems to be phasing out the root now BTW.
That means if anyone found evidence that a CA was issuing bogus certs (such as one of those certs), that CA would be revoked and bankruptcy would follow soon after. The fact that they were just obeying a court order wouldn't be considered relevant by the browser makers, especially if it's an obscure and little used one.
There are other forms of punishment beyond outright revocation. A CA owned by the French government did something bad at some point (I forgot what), and instead of total revocation they were name constrained to .fr
But basically, forcing CAs to co-operate with you against the contracts they've signed is a very limited strategy. Most governments outside the US government can only do it once or twice before there are no more CAs left in their jurisdiction. Not to mention the legal mess that would result from a company beyond forced to commit suicide to help an intercept operation.