So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?
IMO, as long as the key is only known to people who the rightful owner explicitly wanted it to possess, it is not compromised.
This is just an extreme case of a troll wanting the whole world to have the key.
It has nothing to do with Heartbleed! Posting your private key in a gist on the web is not the same as being victim to some hacking because of a OpenSSL bug.
> So in your opinion the one who actually buys and gets the certificate from the StartSSL web site must not share it with the system administrator? Or some second-in-command?
This key is now public and must be revoked. Bottom line. StartSSL can even conceivably invoice him for the work, but they have to revoke it if they want to be a CA in a secure public-key infrastructure.
IMO, as long as the key is only known to people who the rightful owner explicitly wanted it to possess, it is not compromised.
This is just an extreme case of a troll wanting the whole world to have the key.
It has nothing to do with Heartbleed! Posting your private key in a gist on the web is not the same as being victim to some hacking because of a OpenSSL bug.