From what I understand, the purpose of account keys in the ACME protocol is that once authorized, the person who possesses the account key can then create and revoke certificates without having to further prove their identity.
So in a typical web-server situation, why would I want to add the additional security risk of keeping those keys around, instead of simply creating a new account key and solving a new set of challenges every 60 days? Is there a benefit to reusing the same account key each time?
I can see that with more complex server configurations, where solving the challenge might require manual intervention and/or downtime, that it would be desirable to avoid going through that process each time. (Although, I have to wonder, is it really common to have a server that allows installing new certificates in an automated fashion, but doesn’t allow you to automate the challenge process?)
It seems to me that - if you’re using Apache or Nginx or any other “normal” web server that allows webroot authentication - the most sensible thing would be to create a new account key for every new certificate, and shred it afterwards (or never store it on disk to begin with.)
(Obviously I’m also disregarding the rate limits currently imposed by the Let’s Encrypt beta program.)
To that end, it seems it would also be sensible that when registering an account key, the client should be able to specify “this key is only valid for N hours, or until K certificates have been issued.” Or at least, it should be possible for the client to revoke its own account key and/or authorizations. I have only skimmed through the ACME protocol documentation but I didn’t see either of these features mentioned.
I guess the one other potential benefit of keeping the account key around is being able to revoke certificates without further proving your identity. In an emergency situation you might need to be able to do that in minutes, without even having access to the server to be able to solve challenges. But for a situation like that, you’d presumably want to have a second account key, stored offline and authorized separately from the keys that are used for automatic renewal.