ACME allows revocation by anyone in possession of the private key. Per the RFC, you put a jwk in the protected header rather than a kid, and sign the request with the private key of the certificate being revoked, rather than the account key. It would be very handy for me, at least, if acme-client supported this use-case.

Cleaning up. I added revocation a while back.

Sorry, I'm still unable to determine how to revoke a certificate using the private key, rather than the account key. Would you mind giving me a pointer to the appropriate method? Acme::Client#revoke only accepts a certificate, according to the source (of 2.0.16, at least).