Not sure if I’m missing something there or just missed some announcement, but while testing v2 of the API I have noticed that revocation now behaves differently. For version 1 of the API using either of 2 keys (“account” or “domain” one) along with the certificate in the revocation request would have resulted in a successful revocation.
However, if you try revocation against the v2, then it will work with the “domain” key but will return the following error if used with the “account” key: “JWK embedded in revocation request must be the same public key as the cert to be revoked”. That is likely related to the following commit - https://github.com/letsencrypt/boulder/commit/29377bb9d24a5318f048f8ca43f806620be04335
The comments around revokeCertByJWK in the commit above seem to indicate that it is indeed a domain key expected there, but https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.6 mentions “account” key rather than “domain” one for the revocation request. Is this some intentional change and the specification needs to be updated or a bug?
I’m guessing @cpu has the answer to the above, but was wondering if anyone else has observed this behaviour as well?