He's referring to the master key, which will be used to sign the per developer signing keys. If that is stolen, then it will be possible to sign arbitrary signing keys and issue arbitrary revocation certificates.