>>982059 (OP)
Unless you are doing things in a completely retarded way, the CA will never get the private key for the certificate it is signing. The only issue with this is that Comodo could sign a second certificate for the same domain that GCHQ could use to MitM, but in that case it doesn't really matter which CA the site was originally using. They could slip in a fake Comodo certificate for a MitM on a site that usually uses Verisign. Just easier to recognize.
The only defense is to turn of all UK CAs in your system.