> It seems what we'd really want for that is the ability to query for
all current authorisations and to be able to revoke them even if you
aren't in possession of the account key that obtained them (but are in
possession of the key which most recently performed authz).
Another way to achieve
Looks good to me.
I think it would also be useful to provide guidance to ACME clients as
to which CA to contact so as to support use of an LRA and/or
transition from one CA to another.
For example, lets say the initial CA was AliceCert.com and the site
decides to use BobCert.com instead. The
