[karlmdavis]

Is this correct? Wouldn't they still need all of the leaf private keys to decrypt things?

My understanding was that having a CA's private key just enables someone to issue new child keys for that CA. That vulnerability could be addressed with certificate pinning.

[malloc2x]

To decrypt after-the-handshake bytes I think you're right, they would need a leaf private key.

However, they absolutely can mount a MITM with the CA root.

EDIT: Further, if they can compel a master key then they can also compel a copy of all the private keys the CA generates.

[juhanima]

Not quite sure what you mean, but for the record, as a general rule CAs do not generate keys. They just sign the public keys coming in as Certificate Signing Requests. Without ever seeing the accompanied private key.