Fwd: Questions (errata?) about caching authenticated responses [#174] from Mark Nottingham on 2009-06-25 (ietf-http-wg@w3.org from April to June 2009)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 25 Jun 2009 16:12:27 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <C8E9A095-6F76-4767-A1C5-72940AD268F3@mnot.net>

Trolled up from the old list..
   http://trac.tools.ietf.org/wg/httpbis/trac/ticket/174

Begin forwarded message:

> Resent-From: http-wg@cuckoo.hpl.hp.com
> From: Duane Wessels <wessels@ircache.net>
> Date: 20 July 2000 3:47:59 PM
> To: http-wg@cuckoo.hpl.hp.com
> Subject: Questions (errata?) about caching authenticated responses
>
> I've been reading RFCs 2616 and 2617 about caching authenticated
> responses, and have possibly found some inconsistencies.
>
> #1.     The very last sentence of Sec 14.9.4 (under proxy-revalidate)
> 	says: ``...such authenticated responses also need the public
> 	cache control directive in order to allow them to be cached at
> 	all''
>
> 	Yet, Sec 14.8 lists three cache-control directives that allow a
> 	shared cache to reuse an authenticatd response: s-maxage,
> 	must-revalidate, and public.
>
> #2.	If must-revalidate alone is enough to allow an authenticated
> 	response to be cached, and if proxy-revalidate is the same
> 	as must-revalidate for a shared cache, is proxy-revalidate
> 	alone enough to allow an authenticated response to be cached?
>
> 	If so, should proxy-revalidate be listed in section 14.8?
>
> #3.	RFC 2617, Sec 3.2.2.5 says:
>
> 	    when a shared cache ... has received a request containing
> 	    an Authorization header and a response from relaying that
> 	    request, it MUST NOT return that response as a reply to any
> 	    other request, unless one of two Cache-Control (see section
> 	    14.9 of [RFC2616]) directives was present in the response.
>
> 	I believe this is referring to section 14.8, rather than 14.9,
> 	and "two" is not the right number?
>
> Finally, Sec 14.8 doesn't mention if a non-shared cache needs to treat
> an authenticated response specially.  I assume that a non-shared
> cache can store and reuse an authenticated response by default.
> Should that be made explicit?
>
> Duane W.
>
>
>


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 25 June 2009 06:13:06 UTC