Account key compromise

I have read the 7.3.6 of the ACME spec (the latest) and had a question on what happens if the account key has been compromised.

This was also asked here.

I searched on the archives and read the replies to the question asked by “” on the subject. The final answer by Patrick - is that the end of the discussion? Is this still under review?


I’m very curious about this topic.Does anyone knows?


There were a couple of other threads on this on the ACME mailing list in the last few months. I think this one is the most recent.

The consensus seems to be to leave the spec as-is for now (to get it to RFC status soon), and possibly add a new endpoint that would allow disabling authorizations held by other account keys once the owner of a new account has demonstrated control over the relevant identifier (DNS name), or something similar, in a future spec.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.