After reading ACME specs, some community topics here and also Boulder’s issues tracker, I have one question remaining…
Let’s present the context first:
An account key pair is registered and authorized (for 10 months) for domain example.com. There have been 4 certificates that have been issued during these 10 months.
For the next certificate renewal, the authorization for that account key pair is expired. So the client performs a new authorization request for example.com.
The question is (well… are): will PoP be mandatory beside DV challenges to perform the authorization? Shouldn’t DV challenges be enough? And what if the subject keys are lost?
It is interesting to notice that if certificates are revoked, Boulder wouldn’t ask any PoP (#660 Boulder issues tracker).