Re: Warning: header, need origin

jg@w3.org:
>
>        The intent of "caching may violate law" is to handle the situation
>that comes up with certain information (e.g. medical records) going
>though a cache that may be deliberately ignoring some cache control
>directives.

If this is the sole intent, then this intent is not clear to me from
the proposed text, which says "any law".

Some US cache operators are currently worrying about caching
"indecent" material from, say, European servers.  I see no indication
in the proposed text that "caching may violate law" won't handle this.
If you do want to handle this with "caching may violate law", you will
fail.  If you don't want to handle it, you need to be more explicit
about this in the text.

>  This allows an information provider a mechanism to
>flag such information that makes it clear that such data must not
>be cached.

If "caching may violate law" is supposed to handle this case only, it
needs rewording.  In this case, "caching may violate law" is best
defined as an _explanatory message_ accompanying a "Cache-control:
no-cache" response header.

>  We have knowledge and experience that some caches are run
>in such a manner, and want some mechanism to deal with it.

We already discussed caches deliberately ignoring "cache-control:
max-age=0" at length in the "Transparency vs. Performance" threads,
which were inspired by concerns about the interaction between caching
and cookies.

The conclusion then was that HTTP could not forbid caches (in
particular those in user agents) from ignoring "cache-control:
max-age=0".  This conclusion can be extended to the "cache-control:
no-cache" header.

In private e-mail, Roy, Jeff, and I agreed that HTTP could require
this ignoring of Cache-control to be _detectable_ by the origin
server.  If a cache is operating under a situation where it is
ignoring caching header, it should include a

 Cache-control: max-stale=<something>

header in the request.  Origin servers could, on detecting this
header, deny service if caching would violate law.

>        So that is the background; if you don't like this mechanism,
>what would you propose?

In summary, I propose we stick to the consensus reached that HTTP
cannot require that caches _must_ pay attention to "cache-control" in
some cases.  I propose that we make the ignoring of "cache-control" by
caches detectable by origin servers.

I think that the current proposed text for the "caching may violate
law" warning code has huge problems.  But I also think that a "caching
may violate law" code defined as an _explanatory message_ accompanying
a "Cache-control: no-cache" response header would be a good addition
to the protocol.

Discussions on violating law through incorrect caching are also best
moved to the security section.  These discussions should mention
max-stale.

> - Jim Gettys

Koen.

Received on Wednesday, 3 April 1996 20:32:05 UTC