Max,
https://github.com/anima-wg/anima-bootstrap/pull/37
I'm proposing the following text such that /../requestauditlog is now a
POST/201-Location,
GET /cachable that is common and more RESTful. I've made it optional, which
is to say that Registrars need to cope with either type of return.
Most API users are used to this kind of thing, and it makes the response
cacheable, with normal E-Tag and Expires: headers able to apply.
I'm open to mandating it as that gets rid of a code path to test!
+ Rather than returning the audit log as a response to the POST (with a
+ return code 200), the MASA MAY instead return a 201 ("Created")
+ RESTful response ([RFC7231] section 7.1) containing a URL to the
+ prepared (and easily cachable) audit response.
+
+ MASA servers that return URLs SHOULD take care to make the returned
+ URL unguessable. URLs containing a database number such as
+ https://example.com/auditlog/1234 or the EUI of the device such
+ https://example.com/auditlog/10-00-00-11-22-33, would be easily
+ enumerable by an attacker. It is recommended put to put some
+ meaningless randomly generated slug that indexes a database instead.
+
+ A MASA that returns a code 200 MAY also include a Location: header
+ for future reference by the Registrar.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
