| I state that by clearly stating the premise and assumptions in an if/then format: > If users trust the key because they trust updates coming from Daniel ..., then That's a big-ish "if"; I didn't weigh in on whether I think it's true. A reasonable person could go either-way on that. If it is true, then Daniel was justified, if it's not, then he wasn't. > ... when the users have no control or say over this decision? If we assume that people trusted Copperhead-the-organization because they trusted Daniel and that Daniel's removal is a change-of-hands, then the decisions is: - Do nothing (and stop receiving updates) - Start trusting the new engineering leadership of Copperhead-the-organization From that perspective, it makes sense that Daniel should destroy the key: Making the active decision to start trusting the new Copperhead requires the active technical step of installing the new key; making the inactive decision doesn't require action. If on the other hand we assume that Daniel was an implementation detail and that people trust Copperhead-the-organization as an institution, then the decision is: - Stop trusting Copperhead-the-organization (and stop receiving updates) - Do nothing From that perspective, it makes sense that Daniel should not destroy the key: Making the active decision of ceasing trust requires the active technical step of disabling updates. |