- From: Roy Fielding <fielding@beach.w3.org>
- Date: Mon, 14 Aug 1995 16:57:02 -0400
- To: Koen Holtman <koen@win.tue.nl>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>In section 10 of <draft-ietf-http-v10-spec-01.txt>, it says:
>
> Proxies must be completely transparent regarding user agent
> authentication. That is, they must forward the WWW-Authenticate and
> Authorization headers untouched. HTTP/1.0 does not provide a means
> for a client to be authenticated with a proxy.
>
>I read this to imply that caching proxies may never cache responses to
>requests with Authorization headers.
Actually, it doesn't say that, but it should. I have added it to draft 02.
Anything that involves authentication in "current practice" also
implies exclusion of those not authenticated. Since the proxy cannot
duplicate the server's authorization capability, it must not deliver
the response to anyone but the client requesting it (and only for that
particular request), and therefore should never cache such responses.
....Roy T. Fielding Department of ICS, University of California, Irvine USA
Visiting Scholar, MIT/LCS + World-Wide Web Consortium
(fielding@w3.org) (fielding@ics.uci.edu)
Received on Monday, 14 August 1995 13:58:26 UTC