I realize this topic doesn’t really matter while unauthenticated GETs are still supported for the various ACME objects. But when it eventually gets turned off, I’m curious what the intent is.
For things like Orders, Authorizations, and Challenges that are tied to a specific account, should any ACME account be able to sign a POST-as-GET request to query those resources if they know the location/URL? Or should only the account owner be able to?
Today, it appears any account can sign the request and get the data. But will that always be the case?
In section 6.3 the spec says:
On receiving a request with a zero-length (and thus non-JSON) payload, the server MUST authenticate the sender and verify any access control rules.
But I can’t find any references on mandated access control rules associated with the object types. Is it basically a server implementation choice?