Key rotation doesn't change the account URI — ACME key rollover (RFC 8555 §7.3.5) replaces the key pair but keeps the same account URL, which is one of the reasons the draft uses account URI rather than a public key.…
An open PR on the draft (#35) adds exactly this language: if a CA performs DNSSEC validation and it fails (expired signatures, broken chain of trust), the CA MUST treat it as a challenge failure and MUST NOT use the…
The ACME account URI does not appear in issued certificates. X.509 certs contain the subject, issuer, SANs, validity period, SCTs, etc., but no ACME account identifier. You can verify this by inspecting any Let's…
I'm one of the draft authors. Several questions here touch real design tradeoffs — addressing the main threads: Why account URI instead of a public key in the record? (micw, 9dev, csense) Three reasons: 1. Key rotation…
Sounds like Smithsburg Middle School in Maryland.
Key rotation doesn't change the account URI — ACME key rollover (RFC 8555 §7.3.5) replaces the key pair but keeps the same account URL, which is one of the reasons the draft uses account URI rather than a public key.…
An open PR on the draft (#35) adds exactly this language: if a CA performs DNSSEC validation and it fails (expired signatures, broken chain of trust), the CA MUST treat it as a challenge failure and MUST NOT use the…
The ACME account URI does not appear in issued certificates. X.509 certs contain the subject, issuer, SANs, validity period, SCTs, etc., but no ACME account identifier. You can verify this by inspecting any Let's…
I'm one of the draft authors. Several questions here touch real design tradeoffs — addressing the main threads: Why account URI instead of a public key in the record? (micw, 9dev, csense) Three reasons: 1. Key rotation…
Sounds like Smithsburg Middle School in Maryland.