- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 26 Jul 2011 20:29:11 +0200
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-07-26 02:38, Bjoern Hoehrmann wrote: > ... > This should refer to disclosure or something like that rather than leak- > age (you wouldn't design a protocol that intentionally leaks something), > and `Vary: *` strikes me as odd in this context (why, then, doesn't the > use of Authorization imply just `Vary: Authorization`, for instance). > > I would rather say something along the lines that use of "Authorization" > implies that the message is confidential with respect to the credentials > provided in that header, meaning messages should be treated as if they > had `Cache-Control: private`, and that new schemes must take explicit > measures to ensure the confidentiality of messages, like using that same > header, because deployed servers are otherwise unaware of the semantics. > ... Björn, thanks. To the point as always... So: "Use of the Authorization header to transfer credentials implies that the message is confidential with respect to the credentials provided in that header field, meaning response messages ought to be treated as if they had "Cache-Control: private", and that new authentication schemes will have to take explicit measure to ensure the confidentiality of messages, such as by using that very header, because deployed recipients are otherwise unaware of the semantics." ?
Received on Tuesday, 26 July 2011 18:29:42 UTC