I am testing revoke API in the staging environment using two accounts, say A and B. Now I issued a certificate for my website xyz.com using A -> certificate C_a and using B->certificate C_b.
Now, if I try to revoke the certificate C_a using the private key of account B, it is working fine and C_a is revoked!
One possible explanation I can think of is this- an account that holds authorizations for all of the identifiers in the certificate.
Is this the correct explanation or an I missing something?
Yes, that is likely the correct explanation: an ACME registration that has a valid authorization for a hostname can revoke any certificate for that hostname, except for certs that also contain other hostnames not covered by its authorizations.