W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Comment on http 1.0 draft 01: authentication and caching

From: Koen Holtman <koen@win.tue.nl>
Date: Sat, 12 Aug 1995 12:03:07 +0200 (MET DST)
Message-Id: <199508121003.MAA09625@wswiop05.win.tue.nl>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: Koen Holtman <koen@win.tue.nl>
In section 10 of <draft-ietf-http-v10-spec-01.txt>, it says:

   Proxies must be completely transparent regarding user agent
   authentication. That is, they must forward the WWW-Authenticate and
   Authorization headers untouched. HTTP/1.0 does not provide a means
   for a client to be authenticated with a proxy.

I read this to imply that caching proxies may never cache responses to
requests with Authorization headers.

Is this really the intended meaning?  It sounds like a wasteful
requirement to me.

I feel that passing along Authorization headers untouched is fine as a
default, but that there has to be some way to override this default.

A response message could contain a header to explicitly _allow_ a
proxy cache not to be transparent, e.g.

   URI: <http://shopping.com/food/vegetables/carrots.gif>;
        unvary="authorization"

The `unvary' would tell the cache that the response does not vary if
the Authorization header varies, implying that no authentication is
done on http://shopping.com/food/vegetables/carrots.gif.  This would
allow the proxy cache to act non-transparently, to serve future
requests for that picture from cache memory without ever contacting
the origin server.

Koen.
Received on Saturday, 12 August 1995 04:01:01 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:24 EDT