Key is five days old @rh587
So whilst you are right that it would allow retroactive decryption of any emails that are signed with it, that's only for the past week assuming it was even deployed the same day it was created. It could well be that posting the public key is part of their deployment protocol meaning it was only actually in use for a few hours. Maybe.
Don't get me wrong, it's a howler. But the practical effect is less than you suggest.
Biting the hand that feeds IT
