On Sun, Oct 23, 2022 at 09:48:59AM +0900, Seo Suchan wrote: > as account key doesn't fly alone but with an acme client to use it, I think > attacker already knows any order it does by just looking at clients log - > even if it didn't get certificate private key because it's processing > external CSR from somewhere else or so.
You appear to be assuming that access to an account private key necessarily implies access to the client, and furthermore that the client necessarily logs all activity. Neither of these assumptions have any basis in reality as I have observed it. - Matt _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
