...

...

Third-party outside the US Why should a customer buy from you instead of directly from the non-US party? If you can find a way to only have service compromised if you're BOTH compromised, that might let you add some value, but otherwise you're just a consultant.

enforce forward secrecy, allow no non-forward secret suites. this is critical.

Absolutely.

problem solved.. ...they will however treat this as contempt of court - the escalation would be infinitely interesting!

If your certificate is for signatures only (e.g. on DH keyparts), not for encryption, you've got a much stronger case to make in court. And it's much tougher for them to argue "contempt" if you do have to cave and give them your signature key but then generate a new one and start using it, as long as you don't destroy the old one (which would potentially be destroying evidence.) The question is whether they can force you to retain the DH keyparts.