Converting the SSL key from a file to a separate oracle is exactly how HSMs work, and they were existing best practice in securing keys. Keyless works the same way, just remotely, and using commodity stuff (although the local key at the user's site can live in an EKCM system, in an HSM, or otherwise be protected.)
As you say, it's a big deal for revocation. It's ALSO a big deal for auditing -- you know every time a session was initially negotiated, vs. if you give someone else the key -- you have no idea how many sessions were set up. It's also just a policy/compliance thing -- not needing to go through the process to be approved to store keys from organizations makes our sales process a lot faster.
There are some fairly obvious extensions to the security model which are in the works as well.
The reason why I think it's obvious there are security advantages to keyless is that we're using it internally. For us, consolidating our keys in a smaller number of secure locations is totally worth it.
As you say, it's a big deal for revocation. It's ALSO a big deal for auditing -- you know every time a session was initially negotiated, vs. if you give someone else the key -- you have no idea how many sessions were set up. It's also just a policy/compliance thing -- not needing to go through the process to be approved to store keys from organizations makes our sales process a lot faster.
There are some fairly obvious extensions to the security model which are in the works as well.
The reason why I think it's obvious there are security advantages to keyless is that we're using it internally. For us, consolidating our keys in a smaller number of secure locations is totally worth it.