a private key. It's not uncommon to have multiple simultaneously-valid certificates for the same domain. I'd argue that it's actually sort of irresponsible and therefore surprising for a site at the scale of Instagram not to, for backup purposes.
but using that private key can still grant him access to someone's traffic to their machines. isn't revocation necessary to imply security in that domain ever again?
