Deactivating a pending authz accomplishes worse than nothing: it doesn't prevent a successful validation from being reused, and it does prevent us from reusing that pending authz (and any orders associated with it) in response to future requests. It appears that some clients have a bad habit of rapidly creating new orders and associated new authzs, immediately deactivating those pending authzs (which also invalidated the order), and then rinse-and-repeating. This can be particularly egregious in the presence of a previously-successful order which causes such requests to count as renewals and bypass rate limits. We should rate limit this behavior.
The easiest way to do so (I believe) is to count deactivating a pending authz towards our existing failed validations limits. This way, if a client creates and deactivates enough authzs, they will be limited from creating new orders. And if they do so long enough, they will be auto-paused.
Note that we should not count deactivating a "valid" authz towards these limits; we want people to be able to deactivate authzs after they've been used if they want to prevent us from reusing them for future orders.
Deactivating a pending authz accomplishes worse than nothing: it doesn't prevent a successful validation from being reused, and it does prevent us from reusing that pending authz (and any orders associated with it) in response to future requests. It appears that some clients have a bad habit of rapidly creating new orders and associated new authzs, immediately deactivating those pending authzs (which also invalidated the order), and then rinse-and-repeating. This can be particularly egregious in the presence of a previously-successful order which causes such requests to count as renewals and bypass rate limits. We should rate limit this behavior.
The easiest way to do so (I believe) is to count deactivating a pending authz towards our existing failed validations limits. This way, if a client creates and deactivates enough authzs, they will be limited from creating new orders. And if they do so long enough, they will be auto-paused.
Note that we should not count deactivating a "valid" authz towards these limits; we want people to be able to deactivate authzs after they've been used if they want to prevent us from reusing them for future orders.