Re: Never understood certs
You are not alone. You simply can't understand certs in terms of security or privacy. They are not about either. They are about (scalable) trust. Before you even consider the question whether amazon.co.uk are jerks or you can really trust them to deliver the goods after you paid them you want to know that they are, in fact AMZN. If you don't believe that you shouldn't give them any money even over a secure channel.
Your bank might be run by some jerks whom you don't even know. The cert of the bank's site does not make them righteous or trustworthy. The only thing it does - or, rather, tries to do - is assure you that it is your bank you are talking to. You need to trust every single jerk in the certificate chain to believe it. In practice you trust the browser maker to do the checking for you, automatically. If you don't trust one of those jerks it is possible to revoke the corresponding certificate and your browser will warn you about anyone who presents that jerk as a character or identity reference.
As far as I understand the proposed law will break that trust completely. The cert can be used to make you believe that a jerk you are really talking to is the righteous and trustworthy person you think you are talking to. And you can't revoke the (trust in the) cert. From this point on you can't trust any communication whatsoever: you no longer can trust your browser maker to do the checking because they would be breaking the law by doing that. So you can't trust anyone's identity. The trustworthy guy you want to talk to is still trustworthy, you just don't know it's him on the other end of the line.
Security - including password security - is derivative. You can encrypt everything you send, but if you don't know whose key you are using you don't know who the man in the middle might be.
Your only solution in such a situation is to meet the guy you trust in person, verify that it's him (knowing him personally will help, checking his ID card or driver's license or whatever will help only if you are sure that the security services - or another resourceful organization - didn't send someone with a fake document), and exchange keys. Then you will be able to communicate securely and privately without any certs. I remember the times when it was done routinely, in F2F meetings. Not scalable, either for AMZN or your bank, and extremely difficult, bordering on impossible, even after the key exchange if either of you has resourceful adversaries (it's a great intellectual exercise to figure out how difficult assuming you have to deal with MI5/MI6/GCHQ or CIA/FBI/NSA or some other alphabet soup).