What makes you think the FBI, or a certain assisting agency, don't already have CAs in their pocket? They only need one. The 'rogue CA' threat that encouraged the development of HPKP covers this scenario. Hell, DNS TLSA records (which are a part of the now dead DANE concept) let you pin to any combination of PKI CA, public key, or certificate. One day we'll regret not deploying this stuff.
HPKP at least is growing and getting attention. I would have prefered to do the pinning on TLS level instead of http level. Sadly Tack (see tack.io) was to late and HPKP was already to far along and supported by google.
DNSSEC has some value, and DANE does as well, but sadly both are stuck in a strange limbo. Pinning can be deployed now and add a huge amount of security. Even if we had DANE, we would still want to have pinning.
There are interesting ideas how you could scan the internet and it pins and publish this information in a secure way. Then you back this trusted site pin into your browser. Its a similar ideas like Certificat Transparancy. A browser could then load itself with all the needed pins or verfy them on demand. One could also get preloaded pins from a trusted party, or use network vision to check with many different parties on first use. Lots of options once everybody has TOFU.
This combination of Network Vision and TOFU would be quite nice and CA could be replaced, at least for non EV.
I don't doubt that they do, but having the rogue CA threat established as a legal precedent that can be used effortlessly by the police scares me a lot more.
