I have read the 7.3.6 of the ACME spec (the latest) and had a question on what happens if the account key has been compromised.
This was also asked here.
I searched on the archives and read the replies to the question asked by “sheel.at” on the subject. The final answer by Patrick - is that the end of the discussion? Is this still under review?
Thanks,
GK
I’m very curious about this topic.Does anyone knows?
There were a couple of other threads on this on the ACME mailing list in the last few months. I think this one is the most recent.
The consensus seems to be to leave the spec as-is for now (to get it to RFC status soon), and possibly add a new endpoint that would allow disabling authorizations held by other account keys once the owner of a new account has demonstrated control over the relevant identifier (DNS name), or something similar, in a future spec.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.