I'm feeling unsettled about Mathias's proposal, for a couple of reasons: 1. It relies on some indirector features that we don't currently support (410 errors, head requests, post requests, more richly detailed http error messages, richer support of "accept" headers, and find requests with no key). Granted, some of these features would be nice to add, but I'm not sure it makes sense to do them just so that we can make the REST API for cert signing take this form.
2. It puts a bigger burden than I would like to put on clients of the REST API to understand how the certificate system works. In my original proposal, if a client wanted to know the status of a hostname, they would issue a single request and get the status back in an intuitive format. If we go with Mathias's suggestions, the client has to issue several related requests and synthesize the result. If the client gets this wrong, they may falsely conclude that a certificate is valid when it isn't, and that could lead to a lot of customer confusion. By having a specific REST call to query the status of a cert (analogous to "puppet cert --verify") we make sure it is our code that is determining the validity, so we can be sure to do it right. Note that my proposal wouldn't preclude us from adding support for Mathias's suggested API at a later date, if it provides additional features that customers need. Paul On Fri, Sep 17, 2010 at 10:35 AM, Luke Kanies <[email protected]> wrote: > I like Mathias's proposal, and I think all it leaves to solve is signing of > certs, right? > > -- > Luke Kanies | +1-615-594-8199 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-dev%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
