For 2. note that Let's Encrypt just automates a facility every CA provides (is required to provide). A compliant CA is required to have a means by which you can point out that a private key is revealed and they'll revoke certificates for the corresponding public key. It's just that for Let's Encrypt this is automated the same way as everything else.
You SHOULD NOT post private keys, if you find a key that you think shouldn't have been shown to you, you can prove you have it without posting it anywhere. That's what Let's Encrypt does in the revoke-with-key modality. A poor man's way to do this with tools a typical Linux system has is to construct a CSR using that private key, but requesting a Subject that makes it obvious this is a bogus request, e.g. CN="mholt should not have this private key" instead of any real subject. Bad guys don't learn the private key by seeing this CSR, but everyone (who understands cryptography) learns that you must have the private key or moral equivalent.
The requirement to revoke if a private key is revealed is why that craziness with the reseller happened earlier this year where they'd been keeping all their customer keys in escrow (if you allowed them to generate the key - never do this) and they said "Oh, these keys are leaked" and sent all the keys to the Certificate Authority. The CA went "Oh, these really are the private keys, huh" and revoked all the affected certificates. The Baseline Requirements don't have an option for "But, but, my reseller is an idiot, pretend you haven't seen the keys". So, don't trust your idiot reseller with your keys and then they can't do that to you.
Recently a bank in Brazil got leaked the private key for its main domain (and internet banking frontend). The leaker tried to ransom the bank but wasn’t happy, so he went to the press with a detailed report of what he got, and included a message signed with the bank’s key as a proof. The bank denied everything.
But the more interesting thing was that, when confronted about the key, they said it was indeed legit, but their site was already using a new certificate for a while, so everything is ok. And part of the press bought it, including sites targeted to technical audiences. That’s how much a lot of people in real world don’t know exactly how PKI works.
It took a few weeks until the leaked cert was finally revoked. And now I wonder if it was really the bank who did it.
You SHOULD NOT post private keys, if you find a key that you think shouldn't have been shown to you, you can prove you have it without posting it anywhere. That's what Let's Encrypt does in the revoke-with-key modality. A poor man's way to do this with tools a typical Linux system has is to construct a CSR using that private key, but requesting a Subject that makes it obvious this is a bogus request, e.g. CN="mholt should not have this private key" instead of any real subject. Bad guys don't learn the private key by seeing this CSR, but everyone (who understands cryptography) learns that you must have the private key or moral equivalent.
The requirement to revoke if a private key is revealed is why that craziness with the reseller happened earlier this year where they'd been keeping all their customer keys in escrow (if you allowed them to generate the key - never do this) and they said "Oh, these keys are leaked" and sent all the keys to the Certificate Authority. The CA went "Oh, these really are the private keys, huh" and revoked all the affected certificates. The Baseline Requirements don't have an option for "But, but, my reseller is an idiot, pretend you haven't seen the keys". So, don't trust your idiot reseller with your keys and then they can't do that to you.