Re: Questions (errata?) about caching authenticated responses [#174]
Mark Nottingham <mnot@mnot.net> Wed, 02 June 2010 04:55 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D28B3A6963 for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Tue, 1 Jun 2010 21:55:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.792
X-Spam-Level:
X-Spam-Status: No, score=-7.792 tagged_above=-999 required=5 tests=[AWL=-0.207, BAYES_40=-0.185, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxZskuD2nzSb for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Tue, 1 Jun 2010 21:55:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id C24773A6952 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 1 Jun 2010 21:55:32 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1OJfyU-0002UM-Vx for ietf-http-wg-dist@listhub.w3.org; Wed, 02 Jun 2010 04:54:43 +0000
Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1OJfyM-0002Sy-9B for ietf-http-wg@listhub.w3.org; Wed, 02 Jun 2010 04:54:34 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1OJfyK-0006M9-3H for ietf-http-wg@w3.org; Wed, 02 Jun 2010 04:54:34 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.66.143]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 90794509B4; Wed, 2 Jun 2010 00:54:02 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <1248537993.17041.53.camel@localhost.localdomain>
Date: Wed, 02 Jun 2010 14:54:31 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Duane Wessels <wessels@packet-pushers.com>, JeffMogul@acm.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5E2F7FB-073E-4F13-9EDF-5683D0B007C2@mnot.net>
References: <Pine.SGI.4.10.10007192325560.19376-100000@surf.ircache.net> <C8E9A095-6F76-4767-A1C5-72940AD268F3@mnot.net> <4BECFD62-55E9-45D5-9CF0-3B18DF51C37F@mnot.net> <1248477546.31377.139.camel@localhost.localdomain> <A211E17D-31B2-4095-B240-BA7A7BC16E98@mnot.net> <1248537993.17041.53.camel@localhost.localdomain>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
X-Mailer: Apple Mail (2.1078)
Received-SPF: pass
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: bart.w3.org 1OJfyK-0006M9-3H 03f89587bc30f3954a0617c5d0171da6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Questions (errata?) about caching authenticated responses [#174]
Archived-At: <http://www.w3.org/mid/F5E2F7FB-073E-4F13-9EDF-5683D0B007C2@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/8781
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1OJfyU-0002UM-Vx@frink.w3.org>
Resent-Date: Wed, 02 Jun 2010 04:54:42 +0000
Picking this issue back up and CC:ing Jeff for his recollections (see <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/174> for background). On 26/07/2009, at 2:06 AM, Henrik Nordstrom wrote: > Going back reading RFC2068 for a while... and there the picture is quite > different when it comes to proxy-revalidate in authenticated responses: > > 1. If the response includes the "proxy-revalidate" Cache-Control > directive, the cache MAY use that response in replying to a > subsequent request, but a proxy cache MUST first revalidate it with > the origin server, using the request-headers from the new request > to allow the origin server to authenticate the new request. > 2. If the response includes the "must-revalidate" Cache-Control > directive, the cache MAY use that response in replying to a > subsequent request, but all caches MUST first revalidate it with > the origin server, using the request-headers from the new request > to allow the origin server to authenticate the new request. > 3. If the response includes the "public" Cache-Control directive, it > may be returned in reply to any subsequent request. > > So it turns out that what have happened with respect to proxy-revalidate > is that the MAY rule regarding proxy-revalidate was lost from this > section when s-maxage was added in RFC2616. Probably an editorial error > when introducing s-maxage, alternatively (but less likely) there may > have been discussions to remove proxy-revalidate entirely as the > definition of s-maxage makes proxy-revalidate redundant, but then this > text was never added back when it was decided to keep proxy-revalidate. Here's what I think happened. RFC2068 included this text in 13.2.1: > If an origin server wishes to force any HTTP/1.1 cache, no matter how > it is configured, to validate every request, it should use the > "must-revalidate" Cache-Control directive (see section 14.9). even though 14.9 of the same document says: > When the must-revalidate directive is > present in a response received by a cache, that cache MUST NOT use > the entry after it becomes stale to respond to a subsequent request > without first revalidating it with the origin server. The former text mis-defining must-revalidate was removed from 2616, but not before it confused the authors of the Auth and Cookie specs, as noted in <http://tools.ietf.org/html/draft-mogul-http-revalidate-00>. > Proposed resolution to the proxy-revalidate issue: Simply add back the > text from 1. above where it was nly correcting the text to say "shared > cache" where it said "proxy", at least for now. This makes > specifications consistent with what was specified in RFC2068 and what > one would expect from "use as few cache-control verbs as needed". There was a conscious decision in 2616 to remove the effects of the misinterpretation of must-revalidate from the spec, including in the Authorization header. Moving back to the 2068 text would cause yet more confusion. Additionally, 2616 explicitly says in the definition of proxy-revalidate: > Note that such authenticated responses also need the public cache > control directive in order to allow them to be cached at all. Counter-proposal: Add a new section to p6: ---8<--- Shared Caching of Authenticated Responses Shared caches MUST NOT use a cached response to a request with an Authorization [ref] header to satisfy any subsequent request unless a cache directive that allows such responses to be stored is present in the response. In this specification, the following Cache-Control response directives [ref] have such an effect: must-revalidate, public, s-maxage. Note that cached responses that contain the "must-revalidate" and/or "s-maxage" response directives are not allowed to be served stale [ref] by shared caches. In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server. --->8--- ... with appropriate changes to p6 2.1, 2.2, as well as the definitions of the Auth header and appropriate CC directives. > Regarding must-revalidate it may well be the case that this should be > restricted to say "non-shared caches" instead of "the cache" for the > reason outlined before, but if in doubt one can always use > private/public to specify what you intended so it's not that critical. > It's been specified like this "for ever". Non-shared caches aren't affected by the Authentication header. > Hmm.. on a second reading I notice "private" is missing in this section. > A shared cache MUST NOT use a response with "private", especially not > when there is authentication involved... Current text kind of implies a > shared cache is allowed to cache those as long as it always revalidates > on every request IF the request was authenticated but not otherwise.. > which is nonsense. (with it being nonsense I surely hope noone have > implemented their shared caches in such manner..) Are you referring to 2068 text or HTTPbis text here? Cheers, -- Mark Nottingham http://www.mnot.net/
- Fwd: Questions (errata?) about caching authentica… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Henrik Nordstrom
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Henrik Nordstrom
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Jeffrey Mogul
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Roy T. Fielding
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… David Morris
- Re: Questions (errata?) about caching authenticat… Henrik Nordström
- Re: Questions (errata?) about caching authenticat… Henrik Nordström
- Re: Questions (errata?) about caching authenticat… Roy T. Fielding
- Re: Questions (errata?) about caching authenticat… Mark Nottingham
- Re: Questions (errata?) about caching authenticat… Adrien de Croy
- Re: Questions (errata?) about caching authenticat… Henrik Nordström
- Re: Questions (errata?) about caching authenticat… Mark Nottingham