Hi, I raised this issue before but I think it was never really discussed.
Section "7.3.3. Account Information" says > If a client wishes to query > the server for information about its account (e.g., to examine the > "contact" or "orders" fields), then it SHOULD do so by sending a POST > request with an empty update. Shouldn't the orders list objects be protected in the same way as the account objects? Let's Encrypt recommends to use one account for all managed domains. But this currently implies that all domains managed by an account can be retrieved without authorization. This sounds like a privacy issue to me. Best, Sophie _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme