- From: Koen Holtman <koen@win.tue.nl>
- Date: Wed, 3 Apr 1996 21:52:28 +0200 (MET DST)
- To: jg@w3.org
- Cc: koen@win.tue.nl, mogul@pa.dec.com, dwm@shell.portal.com, http-caching@pa.dec.com
jg@w3.org: > > The intent of "caching may violate law" is to handle the situation >that comes up with certain information (e.g. medical records) going >though a cache that may be deliberately ignoring some cache control >directives. If this is the sole intent, then this intent is not clear to me from the proposed text, which says "any law". Some US cache operators are currently worrying about caching "indecent" material from, say, European servers. I see no indication in the proposed text that "caching may violate law" won't handle this. If you do want to handle this with "caching may violate law", you will fail. If you don't want to handle it, you need to be more explicit about this in the text. > This allows an information provider a mechanism to >flag such information that makes it clear that such data must not >be cached. If "caching may violate law" is supposed to handle this case only, it needs rewording. In this case, "caching may violate law" is best defined as an _explanatory message_ accompanying a "Cache-control: no-cache" response header. > We have knowledge and experience that some caches are run >in such a manner, and want some mechanism to deal with it. We already discussed caches deliberately ignoring "cache-control: max-age=0" at length in the "Transparency vs. Performance" threads, which were inspired by concerns about the interaction between caching and cookies. The conclusion then was that HTTP could not forbid caches (in particular those in user agents) from ignoring "cache-control: max-age=0". This conclusion can be extended to the "cache-control: no-cache" header. In private e-mail, Roy, Jeff, and I agreed that HTTP could require this ignoring of Cache-control to be _detectable_ by the origin server. If a cache is operating under a situation where it is ignoring caching header, it should include a Cache-control: max-stale=<something> header in the request. Origin servers could, on detecting this header, deny service if caching would violate law. > So that is the background; if you don't like this mechanism, >what would you propose? In summary, I propose we stick to the consensus reached that HTTP cannot require that caches _must_ pay attention to "cache-control" in some cases. I propose that we make the ignoring of "cache-control" by caches detectable by origin servers. I think that the current proposed text for the "caching may violate law" warning code has huge problems. But I also think that a "caching may violate law" code defined as an _explanatory message_ accompanying a "Cache-control: no-cache" response header would be a good addition to the protocol. Discussions on violating law through incorrect caching are also best moved to the security section. These discussions should mention max-stale. > - Jim Gettys Koen.
Received on Wednesday, 3 April 1996 20:32:05 UTC