Account key compromise


#1

I have read the 7.3.6 of the ACME spec (the latest) and had a question on what happens if the account key has been compromised.

This was also asked here.

I searched on the archives and read the replies to the question asked by “sheel.at” on the subject. The final answer by Patrick - is that the end of the discussion? Is this still under review?

Thanks,
GK


What to do if the account key is compromised?
#2

I’m very curious about this topic.Does anyone knows?

:flashlight:


#3

There were a couple of other threads on this on the ACME mailing list in the last few months. I think this one is the most recent.

The consensus seems to be to leave the spec as-is for now (to get it to RFC status soon), and possibly add a new endpoint that would allow disabling authorizations held by other account keys once the owner of a new account has demonstrated control over the relevant identifier (DNS name), or something similar, in a future spec.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.