It was my understanding that only the ACME account to which the resources (orders, authzs, challenges) belong can access them. When you say that any other account can access them as well via POST-as-GET, did you test that with Boulder? Or Pebble? Or both? I would say that it would be a bug if that’s possible.
felixf
2
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| ACME v2 - Scheduled deprecation of unauthenticated resource GETs | 4 | 30956 | September 24, 2020 | |
| Any update on GETS -> POSTs conversation | 10 | 2610 | November 15, 2018 | |
| ACMEv2 - POST-as-GET on /acme/cert/? | 3 | 1750 | June 5, 2019 | |
| ACME breaking change: Most GETs become POSTs | 0 | 4569 | August 30, 2018 | |
| Why I cannot see my account (Method not allowed)? | 6 | 3949 | December 31, 2016 |