Hi Tianyu Zhang,
Thanks for this proposal.
It would be helpful if we could back up a step: What types of attacks are
you trying to mitigate here?
The mechanism you describe here is very generic; anything at all could go
in the newClientAuthz challenges. What sorts of properties of the client
mi
wrote:
> If both conditions are met, the CA proceeds with certificate issuance
> according to the standard ACME protocol. If the IP addresses do not
> match, the CA terminates the connection, as this may indicate a
> compromised ACME account.
So if the client is behind NAT44 or N
