- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 26 Jul 2011 02:38:37 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
* Julian Reschke wrote: >Maybe...: > >Use of the Authorization header to transfer credentials implies >"Cache-Control: private" [ref] and thus affects cacheability of >responses. Thus, definitions of new authentication schemes that do not >use "Authorization" will need to ensure that response messages do not >leak in an unintended way, for instance by specifying "Cache-Control" or >"Vary: *" [ref] explicitly. This should refer to disclosure or something like that rather than leak- age (you wouldn't design a protocol that intentionally leaks something), and `Vary: *` strikes me as odd in this context (why, then, doesn't the use of Authorization imply just `Vary: Authorization`, for instance). I would rather say something along the lines that use of "Authorization" implies that the message is confidential with respect to the credentials provided in that header, meaning messages should be treated as if they had `Cache-Control: private`, and that new schemes must take explicit measures to ensure the confidentiality of messages, like using that same header, because deployed servers are otherwise unaware of the semantics. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 26 July 2011 00:39:15 UTC