Re: Questions (errata?) about caching authenticated responses from Mark Nottingham on 2000-07-22 (ietf-http-wg@w3.org from July to September 2000)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 22 Jul 2000 12:28:13 -0700
To: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Cc: "WWW WG (E-mail)" <http-wg@cuckoo.hpl.hp.com>
Message-ID: <20000722122811.A8652@mnot.net>

I think the point here is that maximum 'security' is not always the goal;
sometimes, all that's needed is trivial authentication (which is all that
can really be expected in any case), and cacheability of the objects due to

Cheers,


On Sat, Jul 22, 2000 at 04:05:31PM +0200, Joris Dobbelsteen wrote:
> The best solution for maximum security whould be:
> 
> Authenticated request
> =====================
> Shared-Cache
> Do NOT cache the response, because it requires uses to authenticate, and may
> not be accessed by everyone.
> 
> Private-Cache
> A private-cache is used by ONLY ONE PERSON. This cache may cache the
> response (depending on the cache-control header), because it can only be
> accessed by one person.
> 
> 
> 
> - Joris Dobbelsteen
> 
> 
> > -----Original Message-----
> > From: Duane Wessels [mailto:wessels@ircache.net]
> > Sent: donderdag 20 juli 2000 7:48
> > To: http-wg@cuckoo.hpl.hp.com
> > Subject: Questions (errata?) about caching authenticated responses
> >
> >
> > I've been reading RFCs 2616 and 2617 about caching authenticated
> > responses, and have possibly found some inconsistencies.
> >
> > #1.     The very last sentence of Sec 14.9.4 (under proxy-revalidate)
> > 	says: ``...such authenticated responses also need the public
> > 	cache control directive in order to allow them to be cached at
> > 	all''
> >
> > 	Yet, Sec 14.8 lists three cache-control directives that allow a
> > 	shared cache to reuse an authenticatd response: s-maxage,
> > 	must-revalidate, and public.
> >
> > #2.	If must-revalidate alone is enough to allow an authenticated
> > 	response to be cached, and if proxy-revalidate is the same
> > 	as must-revalidate for a shared cache, is proxy-revalidate
> > 	alone enough to allow an authenticated response to be cached?
> >
> > 	If so, should proxy-revalidate be listed in section 14.8?
> >
> > #3.	RFC 2617, Sec 3.2.2.5 says:
> >
> > 	    when a shared cache ... has received a request containing
> > 	    an Authorization header and a response from relaying that
> > 	    request, it MUST NOT return that response as a reply to any
> > 	    other request, unless one of two Cache-Control (see section
> > 	    14.9 of [RFC2616]) directives was present in the response.
> >
> > 	I believe this is referring to section 14.8, rather than 14.9,
> > 	and "two" is not the right number?
> >
> > Finally, Sec 14.8 doesn't mention if a non-shared cache needs to treat
> > an authenticated response specially.  I assume that a non-shared
> > cache can store and reuse an authenticated response by default.
> > Should that be made explicit?
> >
> > Duane W.
> >
> >
> >
> >
> 

-- 
Mark Nottingham
http://www.mnot.net/

Received on Saturday, 22 July 2000 12:41:43 UTC