More prohibitions on key reuse

ietf-wg-acme · Nov 3, 2018 · 7a8a99a · 7a8a99a
1 parent 71ab9da
commit 7a8a99a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/draft-ietf-acme-acme.md b/draft-ietf-acme-acme.md
@@ -3385,7 +3385,12 @@ account holder could take within the scope of ACME:
 For this reason, it is RECOMMENDED that account key pairs be used for no other
 purpose besides ACME authentication.  For example, the public key of an account
 key pair SHOULD NOT be included in a certificate.  ACME clients MUST NOT reuse 
-the same account key for multiple accounts.  ACME clients and servers
+the same account key for multiple accounts, and MUST NOT allow account key 
+roll-over to a previously-used account key.  ACME servers SHOULD reject a 
+new-account request using an account key already associated with an account 
+on the server.  
+
+ACME clients and servers
 SHOULD verify that a CSR submitted in a finalize request does not contain a
 public key for any known account key pair.  In particular, when a server
 receives a finalize request, it MUST verify that the public key in a CSR is not