RE: Questions (errata?) about caching authenticated responses

The best solution for maximum security whould be:

Authenticated request
=====================
Shared-Cache
Do NOT cache the response, because it requires uses to authenticate, and may
not be accessed by everyone.

Private-Cache
A private-cache is used by ONLY ONE PERSON. This cache may cache the
response (depending on the cache-control header), because it can only be
accessed by one person.



- Joris Dobbelsteen


> -----Original Message-----
> From: Duane Wessels [mailto:wessels@ircache.net]
> Sent: donderdag 20 juli 2000 7:48
> To: http-wg@cuckoo.hpl.hp.com
> Subject: Questions (errata?) about caching authenticated responses
>
>
> I've been reading RFCs 2616 and 2617 about caching authenticated
> responses, and have possibly found some inconsistencies.
>
> #1.     The very last sentence of Sec 14.9.4 (under proxy-revalidate)
> 	says: ``...such authenticated responses also need the public
> 	cache control directive in order to allow them to be cached at
> 	all''
>
> 	Yet, Sec 14.8 lists three cache-control directives that allow a
> 	shared cache to reuse an authenticatd response: s-maxage,
> 	must-revalidate, and public.
>
> #2.	If must-revalidate alone is enough to allow an authenticated
> 	response to be cached, and if proxy-revalidate is the same
> 	as must-revalidate for a shared cache, is proxy-revalidate
> 	alone enough to allow an authenticated response to be cached?
>
> 	If so, should proxy-revalidate be listed in section 14.8?
>
> #3.	RFC 2617, Sec 3.2.2.5 says:
>
> 	    when a shared cache ... has received a request containing
> 	    an Authorization header and a response from relaying that
> 	    request, it MUST NOT return that response as a reply to any
> 	    other request, unless one of two Cache-Control (see section
> 	    14.9 of [RFC2616]) directives was present in the response.
>
> 	I believe this is referring to section 14.8, rather than 14.9,
> 	and "two" is not the right number?
>
> Finally, Sec 14.8 doesn't mention if a non-shared cache needs to treat
> an authenticated response specially.  I assume that a non-shared
> cache can store and reuse an authenticated response by default.
> Should that be made explicit?
>
> Duane W.
>
>
>
>

Received on Saturday, 22 July 2000 07:10:18 UTC