RE: #78: Relationship between 401, Authorization and WWW-Authenticate from Manger, James H on 2011-07-26 (ietf-http-wg@w3.org from July to September 2011)

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Tue, 26 Jul 2011 10:13:11 +1000
To: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E112894D97F2@WSMSG3153V.srv.dir.telstra.com>

>On Mon, Jul 25, 2011 at 11:54:07PM +0200, Julian Reschke wrote:
>> Maybe...:
>> 
>> Use of the Authorization header to transfer credentials implies 
>> "Cache-Control: private" [ref] and thus affects cacheability of 
>> responses. Thus, definitions of new authentication schemes that do not 
>> use "Authorization" will need to ensure that response messages do not 
>> leak in an unintended way, for instance by specifying "Cache-Control" or 
>> "Vary: *" [ref] explicitly.
>> 
>> Feedback appreciated,

>I can read the first sentence in two ways :
>  - if a server or intermediary receives an Authorization header, it must
>    assume that "Cache-Control: private" is implied
>  - if a client wants to emit an Authorization header, it must also add
>    a "Cache-Control: private" header
>
>I think the former was meant given the second sentence, though I'm not
>100% certain. If so, maybe we should focus on the recipient of the message
>and replace "Use of" with "Presence of" (or anything equivalent).
>
>The second part is clear enough however.

The first sentence should be read a 3rd way:
  - if an Authorization header is present in a request, the corresponding
    response MUST be treated as though it includes "Cache-Control: private",
    unless it explicitly includes a Cache-Control header

draft-ietf-httpbis-p7-auth-15#section-4.1 already contains 20 lines of text (1 paragraph plus 3 dot points) about caching when a request includes an Authorization header. This shouldn't be paraphrased immediately after that text with the first sentence above "... implies Cache-Control: private...". I am not sure that the 20 lines are totally consistent with this first sentence.

Perhaps the existing 20 lines were going to be removed, to be replaced with a single sentence about implying "Cache-Control: private" by default? That sounds ok to me, as long as the first sentence makes it clear that "Cache-Control: private" is implied for the corresponding response.

Alternatively, if the existing 20 lines are kept, then just add the 2nd sentence of the Julian's text as a new paragraph at the end of section 4.1 [draft-ietf-httpbis-p7-auth-15#section-4.1]:

  Use of authentication schemes that do not 
  use "Authorization" will need to ensure that response messages do not 
  leak in an unintended way, for instance by specifying "Cache-Control" or 
  "Vary: *" [ref] explicitly.

--
James Manger

Received on Tuesday, 26 July 2011 00:13:46 UTC