IETF Logo Mail Archive

Re: Questions (errata?) about caching authenticated responses [#174]

Mark Nottingham <mnot@mnot.net> Wed, 02 June 2010 04:55 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D28B3A6963 for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Tue, 1 Jun 2010 21:55:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.792
X-Spam-Level:
X-Spam-Status: No, score=-7.792 tagged_above=-999 required=5 tests=[AWL=-0.207, BAYES_40=-0.185, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxZskuD2nzSb for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Tue, 1 Jun 2010 21:55:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id C24773A6952 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 1 Jun 2010 21:55:32 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1OJfyU-0002UM-Vx for ietf-http-wg-dist@listhub.w3.org; Wed, 02 Jun 2010 04:54:43 +0000
Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1OJfyM-0002Sy-9B for ietf-http-wg@listhub.w3.org; Wed, 02 Jun 2010 04:54:34 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1OJfyK-0006M9-3H for ietf-http-wg@w3.org; Wed, 02 Jun 2010 04:54:34 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.66.143]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 90794509B4; Wed, 2 Jun 2010 00:54:02 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <1248537993.17041.53.camel@localhost.localdomain>
Date: Wed, 02 Jun 2010 14:54:31 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Duane Wessels <wessels@packet-pushers.com>, JeffMogul@acm.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5E2F7FB-073E-4F13-9EDF-5683D0B007C2@mnot.net>
References: <Pine.SGI.4.10.10007192325560.19376-100000@surf.ircache.net> <C8E9A095-6F76-4767-A1C5-72940AD268F3@mnot.net> <4BECFD62-55E9-45D5-9CF0-3B18DF51C37F@mnot.net> <1248477546.31377.139.camel@localhost.localdomain> <A211E17D-31B2-4095-B240-BA7A7BC16E98@mnot.net> <1248537993.17041.53.camel@localhost.localdomain>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
X-Mailer: Apple Mail (2.1078)
Received-SPF: pass
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: bart.w3.org 1OJfyK-0006M9-3H 03f89587bc30f3954a0617c5d0171da6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Questions (errata?) about caching authenticated responses [#174]
Archived-At: <http://www.w3.org/mid/F5E2F7FB-073E-4F13-9EDF-5683D0B007C2@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/8781
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1OJfyU-0002UM-Vx@frink.w3.org>
Resent-Date: Wed, 02 Jun 2010 04:54:42 +0000

Picking this issue back up and CC:ing Jeff for his recollections (see <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/174> for background).

On 26/07/2009, at 2:06 AM, Henrik Nordstrom wrote:

> Going back reading RFC2068 for a while... and there the picture is quite
> different when it comes to proxy-revalidate in authenticated responses:
> 
>     1. If the response includes the "proxy-revalidate" Cache-Control
>        directive, the cache MAY use that response in replying to a
>        subsequent request, but a proxy cache MUST first revalidate it with
>        the origin server, using the request-headers from the new request
>        to allow the origin server to authenticate the new request.
>     2. If the response includes the "must-revalidate" Cache-Control
>        directive, the cache MAY use that response in replying to a
>        subsequent request, but all caches MUST first revalidate it with
>        the origin server, using the request-headers from the new request
>        to allow the origin server to authenticate the new request.
>     3. If the response includes the "public" Cache-Control directive, it
>        may be returned in reply to any subsequent request.
> 
> So it turns out that what have happened with respect to proxy-revalidate
> is that the MAY rule regarding proxy-revalidate was lost from this
> section when s-maxage was added in RFC2616. Probably an editorial error
> when introducing s-maxage, alternatively (but less likely) there may
> have been discussions to remove proxy-revalidate entirely as the
> definition of s-maxage makes proxy-revalidate redundant, but then this
> text was never added back when it was decided to keep proxy-revalidate.

Here's what I think happened. RFC2068 included this text in 13.2.1:

> If an origin server wishes to force any HTTP/1.1 cache, no matter how
> it is configured, to validate every request, it should use the
> "must-revalidate" Cache-Control directive (see section 14.9).


even though 14.9 of the same document says:

> When the must-revalidate directive is
> present in a response received by a cache, that cache MUST NOT use
> the entry after it becomes stale to respond to a subsequent request
> without first revalidating it with the origin server.


The former text mis-defining must-revalidate was removed from 2616, but not before it confused the authors of the Auth and Cookie specs, as noted in <http://tools.ietf.org/html/draft-mogul-http-revalidate-00>.


> Proposed resolution to the proxy-revalidate issue: Simply add back the
> text from 1. above where it was nly correcting the text to say "shared
> cache" where it said "proxy", at least for now. This makes
> specifications consistent with what was specified in RFC2068 and what
> one would expect from "use as few cache-control verbs as needed".

There was a conscious decision in 2616 to remove the effects of the misinterpretation of must-revalidate from the spec, including in the Authorization header.   Moving back to the 2068 text would cause yet more confusion.

Additionally, 2616 explicitly says in the definition of proxy-revalidate:

> Note that such authenticated responses also need the public cache
> control directive in order to allow them to be cached at all.


Counter-proposal:

Add a new section to p6:

---8<---
Shared Caching of Authenticated Responses

Shared caches MUST NOT use a cached response to a request with an Authorization [ref] header to satisfy any subsequent request unless a cache directive that allows such responses to be stored is present in the response.

In this specification, the following Cache-Control response directives [ref] have such an effect: must-revalidate, public, s-maxage.

Note that cached responses that contain the "must-revalidate" and/or "s-maxage" response directives are not allowed to be served stale [ref] by shared caches. In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server. 
--->8---

... with appropriate changes to p6 2.1, 2.2, as well as the definitions of the Auth header and appropriate CC directives.


> Regarding must-revalidate it may well be the case that this should be
> restricted to say "non-shared caches" instead of "the cache" for the
> reason outlined before, but if in doubt one can always use
> private/public to specify what you intended so it's not that critical.
> It's been specified like this "for ever".

Non-shared caches aren't affected by the Authentication header.


> Hmm.. on a second reading I notice "private" is missing in this section.
> A shared cache MUST NOT use a response with "private", especially not
> when there is authentication involved... Current text kind of implies a
> shared cache is allowed to cache those as long as it always revalidates
> on every request IF the request was authenticated but not otherwise..
> which is nonsense. (with it being nonsense I surely hope noone have
> implemented their shared caches in such manner..)


Are you referring to 2068 text or HTTPbis text here?

Cheers,

--
Mark Nottingham     http://www.mnot.net/

v2.23.0 | Report a Bug | By Email