RE: How to implement the best practice "cache resources" from Rotan Hanrahan on 2010-01-25 (public-bpwg@w3.org from January 2010)

From: Rotan Hanrahan <rotan.hanrahan@mobileaware.com>
Date: Mon, 25 Jan 2010 14:15:02 -0000
To: "Scheppe, Kai-Dietrich" <k.scheppe@telekom.de>, "Jo Rabin" <jo@linguafranca.org>
Cc: "Tom Hume" <tom.hume@futureplatforms.com>, "JOSE MANUEL CANTERA FONSECA" <jmcf@tid.es>, "Mobile Web Best Practices Working Group WG" <public-bpwg@w3.org>
Message-ID: <D5306DC72D165F488F56A9E43F2045D30226D8C4@FTO.mobileaware.com>

Etag [1] doesn't have to be a hash, though some servers implement it
that way. Could be a hash of the content, or of metadata describing the
content (including a timestamp) or all of this. Or maybe even none, as
it might be no more than a uniformly increasing version number, or
something similar. It indicates that something has changed, but the
scope of the context of this assessment is limited to what is visible to
the server. If you are an intermediate proxy, then you might have a
slightly different view of the context, and hence your interpretation of
"changed" might differ. This is subtly different from the validation
mechanism [2] originally envisaged, which said nothing about a resource
being perceived differently depending on the delivery context. The
assumption has been the traditional "one resource, one representation".
Etag does not differentiate between a change of the resource or a change
of its representation.

So, I suggest that Etag alone might not be sufficient for every
proxy/cache situation, and that gathering some more fingerprints might
be necessary. Whether or not one needs to fingerprint the entire
payload, I'm not sure, but I'd like to avoid that overhead if possible.
Maybe this is just too much for a blanket BP to cover?

---Rotan.

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.19
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.3.3



-----Original Message-----
From: Scheppe, Kai-Dietrich [mailto:k.scheppe@telekom.de] 
Sent: 25 January 2010 13:58
To: Jo Rabin; Rotan Hanrahan
Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best Practices
Working Group WG
Subject: RE: How to implement the best practice "cache resources"

Isn't the Etag some form of hash already?

Kai


 

> -----Original Message-----
> From: Jo Rabin [mailto:jo@linguafranca.org] 
> Sent: Monday, January 25, 2010 2:53 PM
> To: Rotan Hanrahan
> Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best 
> Practices Working Group WG
> Subject: Re: How to implement the best practice "cache resources"
> 
> I thought you'd do this same way as you would an ETag. But 
> the BP does specify a hash of the resource content, rather 
> than something made from the last modified date, or 
> something. So perhaps the BP is overly prescriptive about this.
> 
> Jo
> 
> On 24/01/2010 22:08, Rotan Hanrahan wrote:
> > That's an interesting question. On seeing that BP for the 
> first time I assumed the fingerprint would be derived from 
> the metadata (mainly the HTTP headers). Certainly one could 
> hash these to facilitate an associative lookup. The question, 
> as posed, raises another possibility, and that is a digital 
> signature of the entire response. Headers and payload. So now 
> I too would like to get some clarity from the proposers.
> >  
> > As for MD5, whether used to hash only (a subset of) the 
> headers or the entire response, there is always the 
> possibility of "hash clash". Despite this, MD5 is still 
> useful as a checksum, though I have my doubts about using it 
> as the sole means of key generation for a resource cache.
> >  
> > If you want to consider an alternative, SHA-2 is worth a 
> look. I get the impression that this is going to take over 
> from MD5 in the near future.
> >  
> > Assuming the security of the hashing is not significant, 
> the focus might turn to the processing efficiency. Maybe some 
> cryptographers reading this might care to comment.
> >  
> > Finally, if you are interested in some open source crypto 
> resources, I recommend you take a look at Bouncy Castle. ( 
> www.bouncycastle.org )
> >  
> > ---Rotan.
> > 
> > ________________________________
> > 
> > From: public-bpwg-request@w3.org on behalf of Tom Hume
> > Sent: Sun 24/01/2010 13:35
> > To: JOSE MANUEL CANTERA FONSECA
> > Cc: Mobile Web Best Practices Working Group WG
> > Subject: Re: How to implement the best practice "cache resources"
> > 
> > 
> > 
> > Would MD5 be a good means of doing this?
> > 
> > 2010/1/21 JOSE MANUEL CANTERA FONSECA <jmcf@tid.es>:
> >> Hi all,
> >>
> >>
> >>
> >> I was trying to find a recommended open source library to 
> calculate a hash
> >> of a resource in accordance with the "cache resources by 
> fingerprinting" bes
> >> practice. any advice, specially from the people who 
> proposed this BP would
> >> be welcome
> >>
> >>
> >>
> >> thank you
> >>
> >>
> >>
> >> best r.
> > 
> > 
> > 
> > --
> > Future Platforms: hungry and foolish since 2000
> > work: Tom.Hume@futureplatforms.com play: tomhume.org
> > 
> > 
> > 
> > 
> 
>

Received on Monday, 25 January 2010 14:15:54 UTC