Add support for recovery key

[kbabioch]

Support for recovery keys might be a good idea (which is described here). This would enable to recover an account later on.

[ghost]

I don't see any benfit. If you loose your account key you likely loose the recovery key along. If you store/backup your recovery key at a safe place you could do exactly that with yout account key.

[txr13]

I do see a benefit, primarily in organizations.

Consider the scenario where an organization has a system administrator responsible for overseeing certificate issuance and deployment. (Let's further say that the organization is non-profit, and therefore is trying to control costs by using a service like LE.) Generally speaking, you wouldn't want to keep the account key accessible by just anybody in the organization, and yet you absolutely do want the ability to recover the account if the system administrator goes rogue, or gets hit by a bus, or goes into a coma, or whatever...

Account recovery (as specified in section 6.4 of the spec) binds account info and resources (certificates, etc.) to a new account key. This ensures two important points: first, that any rogue actors with the old account key cannot continue using it for new actions; second, that any use of the recovery key becomes evident when the old account key no longer functions. We therefore have a way of ensuring that our example rogue system administrator cannot bring down the system, but also of being able to detect rogue use of the recovery key from elsewhere within the organization.

In my day job, I have assisted organizations who have been dealing with outsourced IT who refused to give them access to their own systems, when the organizations wanted to switch IT providers. Having a recovery key available to the organization is an important safeguard when dealing with contracted IT labor. At the same time, you wouldn't want them to have access to the regular account key, because that opens the door to other abuses / misuses.