I'm fairly confused by your stance here. I was expecting you to tell us that a) security with backdoors is worthless (intermediate CAs, for use in packet inspection devices, not merely proxies) and b) security without control (and repercussions) for those that guarantee the security.
It's not exactly a "standard and legitimate feature" either; there were lengthy discussions this very year [1].
The distinction is presumably about whether clients have to be modified to accept a particular (organizational) root or whether someone gets access to a root CA that will work with unmodified mainstream browsers.
The "standard" way of doing enterprise network surveillance and censorship is by getting end-users to use client software with a modified configuration that (unlike the general public's browsers) accepts the surveillance and censorship without generating a browser warning. In the Trustwave case, it was done with unmodified software and hence could have been done against the general public, or unsuspecting corporate users.
There have been interesting policy discussions about the fact that HTTPS site operators may not "consent" to this surveillance, even if some end users are considered to have done so. For example, PayPal might not want corporate network operators to have access to employees' PayPal credentials or financial transaction data. Hence PayPal's preferences might be something like
employee doesn't use PayPal at work > employee uses PayPal at work without interception by employer > employee uses PayPal at work with interception by employer
while the employee's preferences might be
employee uses PayPal at work without interception by employer > employee uses PayPal at work with interception by employer > employee doesn't use PayPal at work
and the employer's preferences might be
employee doesn't use PayPal at work > employee uses PayPal at work with interception by employer > employee uses PayPal at work without interception by employer
You're confusing two issues. Enterprises can MITM traffic without being issued an intermediate CA=YES certificate; they just add their own root certificate to all their desktops.
Enterprises MITMing traffic is wrong, regardless of any of this; It's pretty much the reason why Google has introduced Cert Pinning, as the 'security' aspect of those boxes is utter and complete bullshit.
That's pretty silly. Enterprises are also obligated to ensure that random employees don't spirit out millions of customer account files over the Internet. If you want an unimpeded Internet connection, provide your own.
I can think of legitimate reasons for enterprises to MITM traffic. For example, protecting users against malware as a result of drive-by downloads or spear phishing campaigns. Data loss prevention is another good reason -- I would want an enterprise that I'm trusting with my credit card data to alert on payment instruments leaving their network to gmail accounts, for instance.
Employers often have legal responsibilites to their employees to ensure that those employees aren't exposed to ahem unprofessional content from other employees. The only real way to do this is to intercept and filter HTTPS traffic. Otherwise you're one HTTPS porn site away from a sexual harassment case.
So, presumably they put their badly-issued "real" public cert on the checkpoint (instead of making their own captive CA and root key/cert for that), and it would have just complained/not worked, normally, but since it was mistakenly issued as CA=YES, it worked, and no one cared. Then Google discovered it because of some Chrome users behind the checkpoint.
I guess incompetence is a decent explanation here, and probably the most likely, but also provides a very convenient explanation if you wanted to hide something more sinister.
It's not exactly a "standard and legitimate feature" either; there were lengthy discussions this very year [1].
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=724929