I don't understand what the risk is. If a client sees and understands the extension, it can update its trust store to have the new key. If a client does not see, or does not understand, the extension, then the trust store will have to be updated out of band, just like it is now. CA's that use this extension must take proper care to ensure that the private key is not exposed.