Comment 1 for bug 1446266

I think this can be a simplified check since order are not covered by ACLs now, and therefore are still project-id based.

So I think if the stored key is not associated with the order's project-id, it should be rejected at API time (so no need to check this on the worker again later)

If that check passes on the API side, or the worker is now processing this order, a check is then made to see if the secret has an ACL associated with it. If it does, then I think initially we can reject this request as well.

We might relax this later and say that if the project-id is on the ACL for the stored key, then we allow the order to process. I say that because if a certificate/container is the created based on the stored key, then an attempt to GET that container using the project-id should probably succeed.