[malloc2x]

To decrypt after-the-handshake bytes I think you're right, they would need a leaf private key.

However, they absolutely can mount a MITM with the CA root.

EDIT: Further, if they can compel a master key then they can also compel a copy of all the private keys the CA generates.

[juhanima]

Not quite sure what you mean, but for the record, as a general rule CAs do not generate keys. They just sign the public keys coming in as Certificate Signing Requests. Without ever seeing the accompanied private key.