W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 2000

RE: Questions (errata?) about caching authenticated responses

From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Date: Sat, 22 Jul 2000 16:05:31 +0200
To: "WWW WG (E-mail)" <http-wg@cuckoo.hpl.hp.com>
Message-ID: <000b01bff3e5$e7075120$0d0aa8c0@THUIS.LOCAL>
The best solution for maximum security whould be:

Authenticated request
Do NOT cache the response, because it requires uses to authenticate, and may
not be accessed by everyone.

A private-cache is used by ONLY ONE PERSON. This cache may cache the
response (depending on the cache-control header), because it can only be
accessed by one person.

- Joris Dobbelsteen

> -----Original Message-----
> From: Duane Wessels [mailto:wessels@ircache.net]
> Sent: donderdag 20 juli 2000 7:48
> To: http-wg@cuckoo.hpl.hp.com
> Subject: Questions (errata?) about caching authenticated responses
> I've been reading RFCs 2616 and 2617 about caching authenticated
> responses, and have possibly found some inconsistencies.
> #1.     The very last sentence of Sec 14.9.4 (under proxy-revalidate)
> 	says: ``...such authenticated responses also need the public
> 	cache control directive in order to allow them to be cached at
> 	all''
> 	Yet, Sec 14.8 lists three cache-control directives that allow a
> 	shared cache to reuse an authenticatd response: s-maxage,
> 	must-revalidate, and public.
> #2.	If must-revalidate alone is enough to allow an authenticated
> 	response to be cached, and if proxy-revalidate is the same
> 	as must-revalidate for a shared cache, is proxy-revalidate
> 	alone enough to allow an authenticated response to be cached?
> 	If so, should proxy-revalidate be listed in section 14.8?
> #3.	RFC 2617, Sec says:
> 	    when a shared cache ... has received a request containing
> 	    an Authorization header and a response from relaying that
> 	    request, it MUST NOT return that response as a reply to any
> 	    other request, unless one of two Cache-Control (see section
> 	    14.9 of [RFC2616]) directives was present in the response.
> 	I believe this is referring to section 14.8, rather than 14.9,
> 	and "two" is not the right number?
> Finally, Sec 14.8 doesn't mention if a non-shared cache needs to treat
> an authenticated response specially.  I assume that a non-shared
> cache can store and reuse an authenticated response by default.
> Should that be made explicit?
> Duane W.
Received on Saturday, 22 July 2000 15:08:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:24 UTC