Suggestions to consider...
* Require CAs to use separate root certificates for the CA hierarchies that are for issuing certs to governments. This allows for:** Tools and process could be specialized root certs that issue certs to governments.** Different UI treatment for them.
* Restrict government roots to their TLDs