I'm surprised key revocation wasn't figured out early. I guess the complexity is in indicating what the new valid key is?