- From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
- Date: Sat, 22 Jul 2000 16:05:31 +0200
- To: "WWW WG (E-mail)" <http-wg@cuckoo.hpl.hp.com>
The best solution for maximum security whould be: Authenticated request ===================== Shared-Cache Do NOT cache the response, because it requires uses to authenticate, and may not be accessed by everyone. Private-Cache A private-cache is used by ONLY ONE PERSON. This cache may cache the response (depending on the cache-control header), because it can only be accessed by one person. - Joris Dobbelsteen > -----Original Message----- > From: Duane Wessels [mailto:wessels@ircache.net] > Sent: donderdag 20 juli 2000 7:48 > To: http-wg@cuckoo.hpl.hp.com > Subject: Questions (errata?) about caching authenticated responses > > > I've been reading RFCs 2616 and 2617 about caching authenticated > responses, and have possibly found some inconsistencies. > > #1. The very last sentence of Sec 14.9.4 (under proxy-revalidate) > says: ``...such authenticated responses also need the public > cache control directive in order to allow them to be cached at > all'' > > Yet, Sec 14.8 lists three cache-control directives that allow a > shared cache to reuse an authenticatd response: s-maxage, > must-revalidate, and public. > > #2. If must-revalidate alone is enough to allow an authenticated > response to be cached, and if proxy-revalidate is the same > as must-revalidate for a shared cache, is proxy-revalidate > alone enough to allow an authenticated response to be cached? > > If so, should proxy-revalidate be listed in section 14.8? > > #3. RFC 2617, Sec 3.2.2.5 says: > > when a shared cache ... has received a request containing > an Authorization header and a response from relaying that > request, it MUST NOT return that response as a reply to any > other request, unless one of two Cache-Control (see section > 14.9 of [RFC2616]) directives was present in the response. > > I believe this is referring to section 14.8, rather than 14.9, > and "two" is not the right number? > > Finally, Sec 14.8 doesn't mention if a non-shared cache needs to treat > an authenticated response specially. I assume that a non-shared > cache can store and reuse an authenticated response by default. > Should that be made explicit? > > Duane W. > > > >
Received on Saturday, 22 July 2000 07:10:18 UTC