Re: #78: Relationship between 401, Authorization and WWW-Authenticate from Julian Reschke on 2011-07-26 (ietf-http-wg@w3.org from July to September 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 26 Jul 2011 21:29:28 +0200
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4E2F1598.30101@gmx.de>

On 2011-07-26 20:29, Julian Reschke wrote:
> On 2011-07-26 02:38, Bjoern Hoehrmann wrote:
>> ...
>> This should refer to disclosure or something like that rather than leak-
>> age (you wouldn't design a protocol that intentionally leaks something),
>> and `Vary: *` strikes me as odd in this context (why, then, doesn't the
>> use of Authorization imply just `Vary: Authorization`, for instance).
>>
>> I would rather say something along the lines that use of "Authorization"
>> implies that the message is confidential with respect to the credentials
>> provided in that header, meaning messages should be treated as if they
>> had `Cache-Control: private`, and that new schemes must take explicit
>> measures to ensure the confidentiality of messages, like using that same
>> header, because deployed servers are otherwise unaware of the semantics.
>  > ...
>
> Björn, thanks. To the point as always...
>
> So:
>
> "Use of the Authorization header to transfer credentials implies that
> the message is confidential with respect to the credentials provided in
> that header field, meaning response messages ought to be treated as if
> they had "Cache-Control: private", and that new authentication schemes
> will have to take explicit measure to ensure the confidentiality of
> messages, such as by using that very header, because deployed recipients
> are otherwise unaware of the semantics."
>
> ?

Or even....:

"The credentials carried in an Authorization header field are specific 
to the User Agent, and therefore have the same effect on HTTP caches as 
the "private" Cache-Control response directive, within the scope of the
request they appear in.

Therefore, new authentication schemes which choose not to carry 
credentials in the Authorization header (e.g., using a newly defined
header) will need to explicitly disallow caching, by mandating the use 
of either Cache-Control request directives (e.g., "no-store") or 
response directives (e.g., "private")."

BR, Julian

Received on Tuesday, 26 July 2011 19:30:11 UTC