> There are four classes of attackers against which we consider our security guarantees: passive network attackers, active network attackers, active network attackers with misissued certificates and attackers in possession of the legitimate server's private key.
Basically (and this is just my understanding), it should mean a MITM cannot decode the encrypted stream even if he has the legitimate server's private key.
That section is dealing purely with an attacker who wants to impersonate a ChannelID. It's correct that an attacker cannot fool the real server into believing that it is in possession of a ChannelID, even if the attacker has the server's private key (so long as the server is forward secure). However, that doesn't mean that the client isn't fooled.
> There are four classes of attackers against which we consider our security guarantees: passive network attackers, active network attackers, active network attackers with misissued certificates and attackers in possession of the legitimate server's private key.
Basically (and this is just my understanding), it should mean a MITM cannot decode the encrypted stream even if he has the legitimate server's private key.