SSCEP should perform non-idempotent calls using HTTP POST method instead GET

[ateska]

Hi,

I noticed that the sscep v0.7.0 is using GET for e.g. "Certificate Enrolment/Renewal" call. This is not recommended by HTTP itself and also there is a remark about that in "Simple Certificate Enrolment Protocol" draft-gutmann-scep-16.

  ...
   Early SCEP drafts performed all communications via "GET" messages,
   including non-idempotent ones that should have been sent via "POST"
   messages, see [16] for details.  This has caused problems because of
   the way that the (supposedly) idempotent GET interacts with caches
   and proxies, and because the extremely large GET requests created by
   encoding CMS messages may be truncated in transit.  These issues are
   typically not visible when testing on a LAN, but crop up during
   deployment over WANs.  If the remote CA supports POST, the CMS-
   encoded SCEP messages MUST be sent via HTTP POST instead of HTTP GET.
   This applies to any SCEP message except GetCACert, GetNextCACert, and
   GetCACaps, and avoids the need for base64- and URL-encoding
   ...

I propose considering switch to HTTP POST calls, as advised in the Protocol specifications.

[ateska]

I see that there is a pull request for that already: https://github.com/certnanny/sscep/pull/95