[Too]

With normal keys you have a similar issue of removing the key from all servers. If you can do this, you can also deploy a revocation list.

[tonyarkles]

My point is that, at first glance, this appears to be a solution that doesn't require you to do an operation on all N servers when you add a new key. Just warning people that you DO still need to have that infrastructure in place to push updated CRLs, although you'll hopefully need to use it a lot less than if you were manually pushing updated authorized_keys files to everything.

[therein]

Easier to test if Jenkins can SSH in than to test a former employee cannot. Especially if you don't have the unencrypted private key.