Could kazakhstan take "national security cert" traffic, crack it and then apply a different, globally trusted cert? Couldnt they also strip the public-key-pins header from incoming traffic?