I’m finding a bunch of authzs that simultaneously have a status of
pending with an
expires in the distant past.
A (had been) relying on the
status field to indicate whether the authz was usable, on the assumption that (pending + expired) = invalid.
Is it the intent that clients should pay attention to the authz expiry as well? Boulder seems to count pending authorizations with an
expires > clause, so I am guessing maybe yes?