"we would be able to quickly deauthorize manufacturers’ public keys at various levels of granularity."
The wording suggests they can't deauthorize an individual device's key, perhaps because they're not unique. So would they have to brick innocent devices that happen to be from the same batch as the attackers'?
They don't need to brick anything, they can just throttle those that match for a bit. Cloudflare are not in a business of blocking people, they just need to protect sites from being overwhelmed by bots.
The wording suggests they can't deauthorize an individual device's key, perhaps because they're not unique. So would they have to brick innocent devices that happen to be from the same batch as the attackers'?