Axel Thimm wrote:
If ATM the key is considered stolen, the users need to stop using
the
key immediately anyway. Issuing a new package signed with the old key
is just keeping the racing window open.
(...snip...)
I agree with you for the most part, but I'll leave the risk assessment
and corresponding consequential response paradigm to the ones that know
best what happened and are actually in a position to decide whether or
not to revoke keys and nuke content or to make it an easy transition now
just to be safe rather then sorry.
Kind regards,
Jeroen van Meeuwen
-kanarip