Shoot, I forgot the third way and now I feel silly. Yeah, probably the easiest thing to do in a lot of cases where the certificate private key is compromised but you no longer have it would be to just validate control again with a new account and use that to revoke the old certificate. I still don't think you could mark that revocation as keyCompromise though since the change 6 weeks ago.