Re: Questions (errata?) about caching authenticated responses [#174] from Adrien de Croy on 2010-06-09 (ietf-http-wg@w3.org from April to June 2010)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 09 Jun 2010 12:55:00 +1200
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Message-ID: <4C0EE664.8010004@qbik.com>

I think there's a slight difference between the 2 cases

1. Authenticated response containing Cache-control: public
2. Response (authenticated or not) containing Cache-control: private, public

In the first case it's obvious the server wants to make the response 
cachable in spite of the fact that it's the result of an authenticated 
request.

In the second case, it's not at all obvious what the server wants, and 
an optimist might choose public, and a conservative might choose private.

In most if not all computer languages, there is a concept of defined 
operator precedence.  Maybe such a concept would be useful here, e.g. 
define which tokens have precedence over others.  I'd expect however in 
that case that for security reasons private would take priority over 
public, which then leads us to problems treating authenticated responses 
as if they included the public directive.  So in short, I think it needs 
to be treated as a special case.

Regards

Adrien

On 9/06/2010 12:37 p.m., Mark Nottingham wrote:
> Actually, that's not a good proposal, because it doesn't cover the 'defaulting' concept Roy has been talking about.
>
> Roy, can you propose some text, if you want to pursue this? I feel like we're approaching diminishing returns here...
>
>
> On 08/06/2010, at 3:36 PM, David Morris wrote:
>
>    
>> Use the 2nd form and save the extra words to make sure "Cache-Control:
>> private" is clear if it isn't already.
>>
>> On Tue, 8 Jun 2010, Mark Nottingham wrote:
>>
>>      
>>> Well, most of the proposal is defining what 'explicitly given otherwise' means (and noting the consequences)...
>>>
>>> Which is more clear?
>>>
>>>        
>>>> Shared caches MUST NOT use a cached response to a request with an Authorization [ref] header to satisfy any subsequent request unless a cache directive that allows such responses to be stored is present in the response.
>>>>          
>>> or
>>>
>>> """
>>> Requests with Authoration [ref] headers MUST have the same effect as Cache-Control: private [ref] on the response.
>>> """
>>>        
>>      
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>
>

Received on Wednesday, 9 June 2010 00:55:37 UTC