RE: #78: Relationship between 401, Authorization and WWW-Authenticate

"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 26 July 2011 00:14 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31A0821F8A97 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 25 Jul 2011 17:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.982
X-Spam-Level:
X-Spam-Status: No, score=-8.982 tagged_above=-999 required=5 tests=[AWL=1.617, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsAxVdJH+pHL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 25 Jul 2011 17:14:34 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 3B70C21F8A95 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 25 Jul 2011 17:14:34 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QlVHe-0007AC-8h for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 00:14:02 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <James.H.Manger@team.telstra.com>) id 1QlVHO-00079H-RZ for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 00:13:46 +0000
Received: from ipxcno.tcif.telstra.com.au ([203.35.82.208]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <James.H.Manger@team.telstra.com>) id 1QlVHM-0001AO-IT for ietf-http-wg@w3.org; Tue, 26 Jul 2011 00:13:46 +0000
X-IronPort-AV: E=Sophos;i="4.67,265,1309701600"; d="scan'208";a="40545809"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipocni.tcif.telstra.com.au with ESMTP; 26 Jul 2011 10:13:14 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6418"; a="33037170"
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipcani.tcif.telstra.com.au with ESMTP; 26 Jul 2011 10:13:13 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Tue, 26 Jul 2011 10:13:13 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Date: Tue, 26 Jul 2011 10:13:11 +1000
Thread-Topic: #78: Relationship between 401, Authorization and WWW-Authenticate
Thread-Index: AcxLHGGWQ3Zi/vwuQaGtyjIhOwd6mwACSgrw
Message-ID: <255B9BB34FB7D647A506DC292726F6E112894D97F2@WSMSG3153V.srv.dir.telstra.com>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <255B9BB34FB7D647A506DC292726F6E112892DE4A4@WSMSG3153V.srv.dir.telstra.com> <4E2DE5FF.7060801@gmx.de> <20110725224402.GA31941@1wt.eu>
In-Reply-To: <20110725224402.GA31941@1wt.eu>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: none client-ip=203.35.82.208; envelope-from=James.H.Manger@team.telstra.com; helo=ipxcno.tcif.telstra.com.au
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1QlVHM-0001AO-IT c92e39ed0ec98985b7f0c0b90311eecf
X-Original-To: ietf-http-wg@w3.org
Subject: RE: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/255B9BB34FB7D647A506DC292726F6E112894D97F2@WSMSG3153V.srv.dir.telstra.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11084
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QlVHe-0007AC-8h@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 00:14:02 +0000

>On Mon, Jul 25, 2011 at 11:54:07PM +0200, Julian Reschke wrote:
>> Maybe...:
>> 
>> Use of the Authorization header to transfer credentials implies 
>> "Cache-Control: private" [ref] and thus affects cacheability of 
>> responses. Thus, definitions of new authentication schemes that do not 
>> use "Authorization" will need to ensure that response messages do not 
>> leak in an unintended way, for instance by specifying "Cache-Control" or 
>> "Vary: *" [ref] explicitly.
>> 
>> Feedback appreciated,

>I can read the first sentence in two ways :
>  - if a server or intermediary receives an Authorization header, it must
>    assume that "Cache-Control: private" is implied
>  - if a client wants to emit an Authorization header, it must also add
>    a "Cache-Control: private" header
>
>I think the former was meant given the second sentence, though I'm not
>100% certain. If so, maybe we should focus on the recipient of the message
>and replace "Use of" with "Presence of" (or anything equivalent).
>
>The second part is clear enough however.


The first sentence should be read a 3rd way:
  - if an Authorization header is present in a request, the corresponding
    response MUST be treated as though it includes "Cache-Control: private",
    unless it explicitly includes a Cache-Control header


draft-ietf-httpbis-p7-auth-15#section-4.1 already contains 20 lines of text (1 paragraph plus 3 dot points) about caching when a request includes an Authorization header. This shouldn't be paraphrased immediately after that text with the first sentence above "... implies Cache-Control: private...". I am not sure that the 20 lines are totally consistent with this first sentence.

Perhaps the existing 20 lines were going to be removed, to be replaced with a single sentence about implying "Cache-Control: private" by default? That sounds ok to me, as long as the first sentence makes it clear that "Cache-Control: private" is implied for the corresponding response.

Alternatively, if the existing 20 lines are kept, then just add the 2nd sentence of the Julian's text as a new paragraph at the end of section 4.1 [draft-ietf-httpbis-p7-auth-15#section-4.1]:

  Use of authentication schemes that do not 
  use "Authorization" will need to ensure that response messages do not 
  leak in an unintended way, for instance by specifying "Cache-Control" or 
  "Vary: *" [ref] explicitly.

--
James Manger