-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP usage #23
Comments
Example: type: "defer" is better replicated with a 503 + Retry-After |
After thinking about this for a while, I think this is good idea. A sketch of a refactor is below. A PR will be a little longer in coming. The server manages the following resources:
The authorization flow would something like the following:
The issuance flow would something like the following:
Other:
|
Perhaps... Revocation: Client DELETEs cert URI |
I had considered this, but you really want revocation to be authenticated (so that I can't revoke my competitor's certs). It's not obvious to me how you would authenticate a DELETE request, but a POST can have a signed body. |
In this case, without a new auth scheme, what Richard says is probably the best approach. The only drawback is that that POST isn't obviously idempotent, but that's actually a feature in sine senses (no replay, resources stay). |
Agreed. Personally I like to see authentication information separated from the request (eg: in the headers) but that would require some pretty significant structural changes. Assuming that's not going to be done (at least for version 1) then POST makes most sense. |
In the vein of adding a 503 status to
|
Could be significantly better. It would require some fairly major structural changes though.
The text was updated successfully, but these errors were encountered: