W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: Comment on http 1.0 draft 01: authentication and caching

From: Roy Fielding <fielding@beach.w3.org>
Date: Mon, 14 Aug 1995 16:57:02 -0400
Message-Id: <199508142057.QAA27831@beach.w3.org>
To: Koen Holtman <koen@win.tue.nl>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>In section 10 of <draft-ietf-http-v10-spec-01.txt>, it says:
>   Proxies must be completely transparent regarding user agent
>   authentication. That is, they must forward the WWW-Authenticate and
>   Authorization headers untouched. HTTP/1.0 does not provide a means
>   for a client to be authenticated with a proxy.
>I read this to imply that caching proxies may never cache responses to
>requests with Authorization headers.

Actually, it doesn't say that, but it should.  I have added it to draft 02.
Anything that involves authentication in "current practice" also
implies exclusion of those not authenticated.  Since the proxy cannot
duplicate the server's authorization capability, it must not deliver
the response to anyone but the client requesting it (and only for that
particular request), and therefore should never cache such responses.

 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)
Received on Monday, 14 August 1995 13:58:26 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:14 UTC