Skip to content

bad-key-revoker: also deactivate accounts with blocked keys#8837

Open
aarongable wants to merge 1 commit into
mainfrom
bkr-account-keys
Open

bad-key-revoker: also deactivate accounts with blocked keys#8837
aarongable wants to merge 1 commit into
mainfrom
bkr-account-keys

Conversation

@aarongable

@aarongable aarongable commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

When bad-key-revoker is processing a new row from the blockedKeys table, also deactivate any accounts whose key matches the newly-blocked key. This ensures that a key compromise doesn't allow a bad actor to take over an ACME account.

Put the new behavior behind a feature flag, because it requires a database permission change that will have to be deployed separately. Also add a new helper function to core/util.go, to ensure that the way we calculate account key hashes never diverges from the way we compute certificate key hashes.

Fixes #5683

IN-12841 tracks the corresponding SRE-side database and config changes

@aarongable aarongable marked this pull request as ready for review July 1, 2026 23:24
@aarongable aarongable requested a review from a team as a code owner July 1, 2026 23:24
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@aarongable, this PR adds one or more new feature flags: DeactivateBadKeyAccounts. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.

Please conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bad-key-revoker: Check & deactivate account keys

1 participant