[hardcopy]

WTF? CAs should be mandated to have an automated, public form/API where you can submit a private key to have it revoked.

Lets encrypt has this. https://letsencrypt.org/docs/revoking/#using-the-certificate...

[pquerna]

The API for Let's Encrypt to do this requires possession of the private key, which pwned keys doesn't always have. Sometimes they just have an "attestation" of compromise:

https://pwnedkeys.com/submit.html

Which if you had an standardized representation of that attestation, maybe CAs could consume that instead.

But, the author of pwnedkeys thought of that, and started an RFC for exactly that:

https://github.com/pwnedkeys/key-compromise-attestation-rfc/...

But it seems dead right now.