Small question on the Pending Authorizations ratelimit:
The RFC states that an Authorization is created in the
pending state. Great.
When I create a new AcmeOrder, the response contains this payload:
"authorizations": [ "https://example.com/acme/authz/PAniVnsZcis", "https://example.com/acme/authz/r4HqLzrSrpI" ],
Is the content of the “authorizations” payload considered to be a fully created Authorization that counts towards this ratelimit?
Is the content essentially a promise which will create a
pending Authorization when first visited (unless it is an existing Authorization)?
I expect the first scenario to be what is happening, but I wanted to ask about the second case - because 3 certs with 100 domains each would fully consume the ratelimit if there were no cleanup routine in the client. My client is set to revoke all 100, but I wanted to be sure.