| 1 |
|
| 2 |
|
| 3 |
HTTP Working Group J. C. Mogul, DECWRL |
| 4 |
Internet-Draft 27 May 1997 |
| 5 |
Expires: 30 November 1997 |
| 6 |
|
| 7 |
|
| 8 |
Forcing HTTP/1.1 proxies to revalidate responses |
| 9 |
|
| 10 |
draft-mogul-http-revalidate-01.txt |
| 11 |
|
| 12 |
|
| 13 |
STATUS OF THIS MEMO |
| 14 |
|
| 15 |
This document is an Internet-Draft. Internet-Drafts are |
| 16 |
working documents of the Internet Engineering Task Force |
| 17 |
(IETF), its areas, and its working groups. Note that other |
| 18 |
groups may also distribute working documents as |
| 19 |
Internet-Drafts. |
| 20 |
|
| 21 |
Internet-Drafts are draft documents valid for a maximum of |
| 22 |
six months and may be updated, replaced, or obsoleted by |
| 23 |
other documents at any time. It is inappropriate to use |
| 24 |
Internet-Drafts as reference material or to cite them other |
| 25 |
than as "work in progress." |
| 26 |
|
| 27 |
To learn the current status of any Internet-Draft, please |
| 28 |
check the "1id-abstracts.txt" listing contained in the |
| 29 |
Internet-Drafts Shadow Directories on ftp.is.co.za |
| 30 |
(Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific |
| 31 |
Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US |
| 32 |
West Coast). |
| 33 |
|
| 34 |
Distribution of this document is unlimited. Please send |
| 35 |
comments to the HTTP working group at |
| 36 |
<http-wg@cuckoo.hpl.hp.com>. Discussions of the working |
| 37 |
group are archived at |
| 38 |
<URL:http://www.ics.uci.edu/pub/ietf/http/>. General |
| 39 |
discussions about HTTP and the applications which use HTTP |
| 40 |
should take place on the <www-talk@w3.org> mailing list. |
| 41 |
|
| 42 |
|
| 43 |
ABSTRACT |
| 44 |
|
| 45 |
The HTTP/1.1 specification [1] currently defines a |
| 46 |
``proxy-revalidate'' Cache-control directive, which forces |
| 47 |
a proxy to revalidate a stale response before using it in a |
| 48 |
reply. There is no mechanism defined that forces a proxy, |
| 49 |
but not an end-client, to revalidate a fresh response. The |
| 50 |
lack of such a mechanism is due to an error in drafting |
| 51 |
RFC2068, and appears to create problems for use of the |
| 52 |
Authorization header, the Digest Access Authentication |
| 53 |
extension [2], the State Management Mechanism [3], and |
| 54 |
several other proposed extensions. This document discusses |
| 55 |
the problem and several possible solutions, and proposes to |
| 56 |
add a new ``s-maxage'' directive as the best available |
| 57 |
solution. |
| 58 |
Mogul [Page 1] |
| 59 |
� |
| 60 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 61 |
|
| 62 |
|
| 63 |
TABLE OF CONTENTS |
| 64 |
|
| 65 |
1 Introduction 2 |
| 66 |
2 Problems with proxy-revalidate 3 |
| 67 |
3 Possible alternatives 5 |
| 68 |
3.1 Alternatives not requiring changes to RFC2068 5 |
| 69 |
3.2 Alternatives that require changes to RFC2068 6 |
| 70 |
4 Proposed solution 8 |
| 71 |
5 Security Considerations 10 |
| 72 |
6 Acknowledgements 10 |
| 73 |
7 References 10 |
| 74 |
8 Author's address 10 |
| 75 |
|
| 76 |
|
| 77 |
1 Introduction |
| 78 |
|
| 79 |
HTTP/1.1 introduces a ``Cache-control'' header to allow origin |
| 80 |
servers and clients to impose fine-grained control over the operation |
| 81 |
of HTTP caches. One important aspect of HTTP caching is whether a |
| 82 |
cache should ``revalidate'' a cached response with the origin server, |
| 83 |
before using the response as a cache hit. In cases where the use of |
| 84 |
an invalid cache entry could lead to serious error, such as the |
| 85 |
violation of an authentication policy, or incorrect behavior of an |
| 86 |
online shopping application, proper revalidation could be crucial. |
| 87 |
On the other hand, caching can yield significant performance |
| 88 |
benefits, and so we want to make caching as effective as possible. |
| 89 |
|
| 90 |
Note: HTTP caches normally revalidate a cached response by |
| 91 |
sending a conditional GET to the origin server. This may be |
| 92 |
done using the ``If-none-match'' request header or the |
| 93 |
``If-modified-since'' request header. If the server would |
| 94 |
return the same response as the cached response, the server may |
| 95 |
reply with a status code of 304 (Not Modified). While this |
| 96 |
does involve a message exchange, by avoiding the transmission |
| 97 |
of the entity body, a revalidation is often much cheaper than |
| 98 |
an unconditional retrieval. |
| 99 |
|
| 100 |
Regarding the terms ``fresh'' and ``stale'': a cached response |
| 101 |
is considered to be fresh if its current age is less than its |
| 102 |
maximum allowed age. A cached response is stale otherwise. |
| 103 |
Normally, only stale responses need to be revalidated; a fresh |
| 104 |
response is inherently usable without revalidation, until it |
| 105 |
reaches its maximum age. |
| 106 |
|
| 107 |
During the design of HTTP/1.1, it was realized that different |
| 108 |
revalidation policies might be applied to end-client caches (e.g., in |
| 109 |
browsers) and to intermediate proxy caches. For example, a proxy |
| 110 |
cache might be shared between multiple users (raising security |
| 111 |
considerations), or it might be operated by someone whose interests |
| 112 |
in reducing transmission costs do not coincide with the interest of |
| 113 |
the ultimate client or origin server in preserving certain kinds of |
| 114 |
application semantics. |
| 115 |
Mogul [Page 2] |
| 116 |
� |
| 117 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 118 |
|
| 119 |
|
| 120 |
It was also realized that in some cases, it might sometimes be |
| 121 |
appropriate to configure a cache to be ``loose'' in its behavior for |
| 122 |
stale responses. That is, in such a situation, the cache might |
| 123 |
return a stale response without revalidating it. This might be done, |
| 124 |
for example, if the network connection between the cache and the |
| 125 |
origin server is not working, or if the cost or delay for |
| 126 |
revalidation is prohibitively high. |
| 127 |
|
| 128 |
There is an obvious potential contradiction between the occasional |
| 129 |
requirement for strict revalidation of certain responses, and the |
| 130 |
occasional desire to allow loose operation of some HTTP caches. |
| 131 |
HTTP/1.1 resolves this by allowing (although not encouraging) loose |
| 132 |
operation as the default, but by providing a protocol mechanism for |
| 133 |
origin servers or end-clients to insist on mandatory strict operation |
| 134 |
when necessary. This is done using the ``Cache-control'' header, |
| 135 |
which can carry a number of cache-control directives. In particular, |
| 136 |
these directives are defined in section 14.9 of RFC2068: |
| 137 |
|
| 138 |
- max-age=NNN |
| 139 |
Sets the maximum age for this response to NNN seconds. By |
| 140 |
itself, does not force strict revalidation behavior. |
| 141 |
|
| 142 |
- no-cache |
| 143 |
Prevents any caching of this response. |
| 144 |
|
| 145 |
- private |
| 146 |
Prevents any caching by a shared cache. |
| 147 |
|
| 148 |
- must-revalidate |
| 149 |
Requires that an HTTP/1.1 cache revalidate the response |
| 150 |
before using it, if the response is stale. |
| 151 |
|
| 152 |
- proxy-revalidate |
| 153 |
Requires that an HTTP/1.1 proxy cache revalidate the |
| 154 |
response before using it, if the response is stale; does |
| 155 |
not affect an end-client cache. |
| 156 |
|
| 157 |
|
| 158 |
2 Problems with proxy-revalidate |
| 159 |
|
| 160 |
The fundamental problem with proxy-revalidate, as defined in RFC2068, |
| 161 |
is that it does not require a proxy cache to revalidate a fresh |
| 162 |
response before using it. However, there are several circumstances |
| 163 |
in which it is desirable or necessary to force a proxy cache to |
| 164 |
revalidate a response that, to an end-client cache, would appear to |
| 165 |
be fresh. |
| 166 |
|
| 167 |
In section 14.8 of RFC2068, defining the ``Authorization'' header, |
| 168 |
this language appears: |
| 169 |
|
| 170 |
|
| 171 |
|
| 172 |
Mogul [Page 3] |
| 173 |
� |
| 174 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 175 |
|
| 176 |
|
| 177 |
1. If the response includes the "proxy-revalidate" |
| 178 |
Cache-Control directive, the cache MAY use that response in |
| 179 |
replying to a subsequent request, but a proxy cache MUST |
| 180 |
first revalidate it with the origin server, using the |
| 181 |
request-headers from the new request to allow the origin |
| 182 |
server to authenticate the new request. |
| 183 |
|
| 184 |
While this could be read as modifying the definition of |
| 185 |
proxy-revalidate from section 14.9.4, it was in fact not intended as |
| 186 |
a modification. Rather, the author of these two sections of RFC2068 |
| 187 |
(me!) failed to notice the conflicting intentions of these two uses |
| 188 |
of proxy-revalidate. |
| 189 |
|
| 190 |
In section 2.1.2 of RFC2069 [2] (the specification of the Digest |
| 191 |
Access Authentication extension to HTTP/1.1), this language appears: |
| 192 |
|
| 193 |
Implementors should be aware of how authenticated |
| 194 |
transactions interact with proxy caches. The HTTP/1.1 |
| 195 |
protocol specifies that when a shared cache (see section |
| 196 |
13.10 of [2]) has received a request containing an |
| 197 |
Authorization header and a response from relaying that |
| 198 |
request, it MUST NOT return that response as a reply to any |
| 199 |
other request, unless one of two Cache-control (see section |
| 200 |
14.9 of [2]) directives was present in the response. If the |
| 201 |
original response included the ``must-revalidate'' |
| 202 |
Cache-control directive, the cache MAY use the entity of that |
| 203 |
response in replying to a subsequent request, but MUST first |
| 204 |
revalidate it with the origin server, using the request |
| 205 |
headers from the new request to allow the origin server to |
| 206 |
authenticate the new request. Alternatively, if the original |
| 207 |
response included the ``public'' Cache-control directive, the |
| 208 |
response entity MAY be returned in reply to any subsequent |
| 209 |
request. |
| 210 |
|
| 211 |
This discussion appears to be in error, since its implication that |
| 212 |
``must-revalidate'' always MUST cause a revalidation does not cover |
| 213 |
the case of apparently fresh responses. In fact, discussion with one |
| 214 |
of the authors of RFC2069 has confirmed that he understood that |
| 215 |
RFC2068 had provided a ``proxy must revalidate even if fresh'' |
| 216 |
directive, which it does not. |
| 217 |
|
| 218 |
In section 4.2.3 of RFCXXXX [3] (the specification of the State |
| 219 |
Management Mechanism for HTTP/1.1), this language appears: |
| 220 |
|
| 221 |
The origin server should send [one of] the following |
| 222 |
additional HTTP/1.1 response headers, depending on |
| 223 |
circumstances: |
| 224 |
|
| 225 |
* To suppress caching of a private document in shared caches: |
| 226 |
Cache-control: private. |
| 227 |
|
| 228 |
|
| 229 |
Mogul [Page 4] |
| 230 |
� |
| 231 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 232 |
|
| 233 |
|
| 234 |
* To allow caching of a document and require that it be |
| 235 |
validated before returning it to the client: Cache-control: |
| 236 |
must-revalidate. |
| 237 |
|
| 238 |
* To allow caching of a document, but to require that proxy |
| 239 |
caches (not user agent caches) validate it before returning |
| 240 |
it to the client: Cache-control: proxy-revalidate. |
| 241 |
|
| 242 |
* To allow caching of a document and request that it be |
| 243 |
validated before returning it to the client (by |
| 244 |
``pre-expiring'' it): Cache-control: max-age=0. Not all |
| 245 |
caches will revalidate the document in every case. |
| 246 |
|
| 247 |
Here again there seems to be a (false) assumption that |
| 248 |
must-revalidate and proxy-revalidate cause revalidation even of fresh |
| 249 |
responses. |
| 250 |
|
| 251 |
Finally, the proposed Hit-Metering extension to HTTP/1.1 [4] depends |
| 252 |
on a mechanism whereby an origin server can require proxy caches to |
| 253 |
revalidate a response before every use, without requiring end-client |
| 254 |
caches to do the same thing (which would be prohibitively |
| 255 |
inefficient). |
| 256 |
|
| 257 |
In summary, there is a clear need for a Cache-control mechanism that |
| 258 |
allows an origin server to specify that a proxy cache (more |
| 259 |
accurately, a shared cache) must always revalidate a response, while |
| 260 |
allowing end-clients (more accurately, private caches) to cache it |
| 261 |
without revalidation (perhaps for a limited period). |
| 262 |
|
| 263 |
|
| 264 |
3 Possible alternatives |
| 265 |
|
| 266 |
3.1 Alternatives not requiring changes to RFC2068 |
| 267 |
Assuming that we do want a mechanism that allows an origin server to |
| 268 |
specify that a proxy must always revalidate a response, while |
| 269 |
allowing end-clients to cache it without revalidation, we could |
| 270 |
certainly do this by modifying the HTTP/1.1 specification proposed in |
| 271 |
RFC2068. Would it be possible to do this without modifying RFC2068, |
| 272 |
possibly by using a combination of existing Cache-control directives |
| 273 |
to approximate the desired behavior? |
| 274 |
|
| 275 |
One solution would simply to use ``Cache-control: private''. This |
| 276 |
would preserve any necessary semantics (because it would prevent any |
| 277 |
and all proxy caching of the response). However, it is much less |
| 278 |
efficient; because ``private'' prevents a shared cache from even |
| 279 |
storing the response, it cannot do a conditional request for |
| 280 |
subsequent references. Hence, this approach would lead to much |
| 281 |
unnecessary transmission of entity bodies when we could be using 304 |
| 282 |
(Not Modified) responses. |
| 283 |
|
| 284 |
Another approach would be to use ``Cache-control: proxy-revalidate, |
| 285 |
|
| 286 |
Mogul [Page 5] |
| 287 |
� |
| 288 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 289 |
|
| 290 |
|
| 291 |
max-age=0''. This allows proxies to store the response and forces |
| 292 |
them to revalidate it on every reference. However, it also implies |
| 293 |
that strict end-user caches should revalidate on every reference as |
| 294 |
well, which could cause even more unnecessary traffic than |
| 295 |
``Cache-control: private'' would. |
| 296 |
|
| 297 |
In short, there does not appear to be a way to use the existing |
| 298 |
RFC2068 mechanisms to preserve both the necessary semantics and |
| 299 |
optimal cache performance. |
| 300 |
|
| 301 |
3.2 Alternatives that require changes to RFC2068 |
| 302 |
Several proposals have been made for modifications to RFC2068 to |
| 303 |
resolve this problem. |
| 304 |
|
| 305 |
We could redefine proxy-revalidate to mean ``always revalidate, even |
| 306 |
if the response is fresh.'' However, this would leave us either with |
| 307 |
no way to allow strict caches to use a response while it is fresh, or |
| 308 |
with no way to force loose caches to revalidate certain responses. |
| 309 |
|
| 310 |
The other proposals all involve adding one new Cache-control |
| 311 |
directive, while preserving the current meaning of the existing |
| 312 |
proxy-revalidate directive: |
| 313 |
|
| 314 |
- proxy-mustcheck |
| 315 |
This would mean that a proxy, but not an end-client, would |
| 316 |
have to revalidate the response even it is fresh |
| 317 |
|
| 318 |
- s-maxage=NNN |
| 319 |
This would mean defining separate maximum ages for shared |
| 320 |
(normally proxy) caches and for private (normally |
| 321 |
end-client) caches. The existing max-age (or Expires) |
| 322 |
value would continue to apply to private caches, and would |
| 323 |
continue to apply to shared caches if the s-maxage |
| 324 |
directive were not present. However, if s-maxage is |
| 325 |
present, then it would override the max-age (or Expires) |
| 326 |
limit for shared caches, but would be ignored by private |
| 327 |
caches. |
| 328 |
|
| 329 |
- agent-maxage=NNN |
| 330 |
This would also mean defining separate maximum ages for |
| 331 |
proxy caches and for end-client caches. The existing |
| 332 |
max-age (or Expires) value would continue to apply to proxy |
| 333 |
caches, and would continue to apply to end-client caches if |
| 334 |
the agent-maxage directive were not present. However, if |
| 335 |
agent-maxage is present, then it would override the max-age |
| 336 |
(or Expires) limit for end-clients, but would be ignored by |
| 337 |
proxy caches. |
| 338 |
|
| 339 |
One option would be to make either ``s-maxage'' or ``agent-maxage'' |
| 340 |
always strict: that is, they would imply that a proxy or end-client, |
| 341 |
respectively, (or shared and private caches, respectively) would be |
| 342 |
|
| 343 |
Mogul [Page 6] |
| 344 |
� |
| 345 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 346 |
|
| 347 |
|
| 348 |
required to revalidate a stale response. Alternatively, they could |
| 349 |
be combined with a ``must-revalidate'' directive to force strict |
| 350 |
behavior, but would otherwise allow loose behavior. |
| 351 |
|
| 352 |
Each of these proposals would solve the existing problem, would be |
| 353 |
simple to specify, and would probably not require significant |
| 354 |
implementation complexity or overhead. However, we should probably |
| 355 |
choose just one of these options; what are the relative merits? |
| 356 |
|
| 357 |
The proxy-mustcheck approach is clearly the simplest, but gives up |
| 358 |
the possibility of separate control over proxy and end-client |
| 359 |
expiration times. Since this orthogonality could potentially be |
| 360 |
useful, it seems more useful to adopt the s-maxage or agent-maxage |
| 361 |
proposals. |
| 362 |
|
| 363 |
If one assumes that this change could be made to the HTTP/1.1 |
| 364 |
specification before the permanent deployment of any HTTP/1.1 |
| 365 |
proxies, there at first seems to be no obvious reason to prefer one |
| 366 |
to the other. That is, this header |
| 367 |
|
| 368 |
Cache-control: max-age=10,s-maxage=3 |
| 369 |
|
| 370 |
and this one |
| 371 |
|
| 372 |
Cache-control: max-age=3,agent-maxage=10 |
| 373 |
|
| 374 |
both express the same semantics in the same number of bytes. |
| 375 |
|
| 376 |
However, if we also adopt the rule that s-maxage implies the presence |
| 377 |
of proxy-revalidate, then in order to express the semantics of |
| 378 |
|
| 379 |
Cache-control: max-age=10,s-maxage=3 |
| 380 |
|
| 381 |
the origin server would have to send |
| 382 |
|
| 383 |
Cache-control: max-age=3,agent-maxage=10,proxy-revalidate |
| 384 |
|
| 385 |
which is somewhat more expensive. |
| 386 |
|
| 387 |
Also, if we do adopt the Hit-metering proposal [4], the s-maxage |
| 388 |
approach seems preferable, because it would allow the necessary |
| 389 |
header rewriting to be accomplished by simple addition of a |
| 390 |
directive, rather than more elaborate rewriting. For example, if the |
| 391 |
origin server sends a hit-metered response with |
| 392 |
|
| 393 |
Cache-control: max-age=10 |
| 394 |
|
| 395 |
then it would be rewritten (at the appropriate proxy, if necessary; |
| 396 |
see [4] for details) as |
| 397 |
|
| 398 |
|
| 399 |
|
| 400 |
Mogul [Page 7] |
| 401 |
� |
| 402 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 403 |
|
| 404 |
|
| 405 |
Cache-control: max-age=10,s-maxage=0 |
| 406 |
|
| 407 |
using the s-maxage alternative, but would have to be rewritten as |
| 408 |
|
| 409 |
Cache-control: max-age=0,agent-maxage=10 |
| 410 |
|
| 411 |
using the agent-maxage proposal. |
| 412 |
|
| 413 |
On the other hand, if we cannot make the necessary change to the |
| 414 |
specification before the deployment of HTTP/1.1 proxies, then the |
| 415 |
agent-maxage proposal is somewhat safer in terms of semantics. That |
| 416 |
is, if HTTP/1.1 proxies are deployed that do not understand the |
| 417 |
s-maxage directive, the use of agent-maxage will not cause these |
| 418 |
proxies to avoid revalidating fresh responses. This is because they |
| 419 |
will presumably carry a ``max-age=0'' directive, and so not appear to |
| 420 |
be fresh to these proxies. |
| 421 |
|
| 422 |
Unfortunately, if we fail to change the specification before the |
| 423 |
permanent deployment of HTTP/1.1 end-clients, then we may face a |
| 424 |
performance problem with the use of agent-maxage: clients that do |
| 425 |
not understand this new directive might do many more revalidations |
| 426 |
than necessary, and so cause excessive network and server loading, as |
| 427 |
well as unnecessary delays. |
| 428 |
|
| 429 |
Ultimately, therefore, it would be best if we made this specification |
| 430 |
change before any permanent deployment of HTTP/1.1 proxies or |
| 431 |
clients. If we do so, then it seems more efficient to use the |
| 432 |
s-maxage mechanism. |
| 433 |
|
| 434 |
|
| 435 |
4 Proposed solution |
| 436 |
|
| 437 |
The HTTP/1.1 specification in RFC2068 should be changed, in section |
| 438 |
14.9 (Cache-Control), in the following ways: |
| 439 |
|
| 440 |
- The grammar for cache-response-directive should include a |
| 441 |
new alternative: |
| 442 |
|
| 443 |
| "s-maxage" "=" delta-seconds |
| 444 |
|
| 445 |
There is no need for a corresponding change to the grammar |
| 446 |
for cache-request-directive. |
| 447 |
|
| 448 |
- Section 14.9.3 should include, after the second paragraph |
| 449 |
(which starts with ``If a response includes ...''), this |
| 450 |
new paragraph: |
| 451 |
|
| 452 |
If a response includes a s-maxage directive, then |
| 453 |
for a shared cache (but not for a private cache), |
| 454 |
the maximum age specified by this directive |
| 455 |
overrides the maximum age specified by either the |
| 456 |
|
| 457 |
Mogul [Page 8] |
| 458 |
� |
| 459 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 460 |
|
| 461 |
|
| 462 |
max-age directive or the Expires header. The |
| 463 |
s-maxage directive also implies the semantics of |
| 464 |
the proxy-revalidate directive (see section |
| 465 |
14.9.4), i.e., that the shared cache MUST NOT use |
| 466 |
the entry after it becomes stale to respond to a |
| 467 |
subsequent request without first revalidating it |
| 468 |
with the origin server. The s-maxage directive is |
| 469 |
always ignored by a private cache. |
| 470 |
|
| 471 |
- In section 13.4, the list of response headers and |
| 472 |
directives implicitly allowing cachability should include |
| 473 |
``s-maxage'' after ``max-age''. |
| 474 |
|
| 475 |
- In section 14.8 (Authorization), this paragraph: |
| 476 |
|
| 477 |
1. If the response includes the "proxy-revalidate" |
| 478 |
Cache-Control directive, the cache MAY use that |
| 479 |
response in replying to a subsequent request, but a |
| 480 |
proxy cache MUST first revalidate it with the |
| 481 |
origin server, using the request-headers from the |
| 482 |
new request to allow the origin server to |
| 483 |
authenticate the new request. |
| 484 |
|
| 485 |
should become |
| 486 |
|
| 487 |
1. If the response includes the "proxy-revalidate" |
| 488 |
Cache-Control directive, the cache MAY use that |
| 489 |
response in replying to a subsequent request, but |
| 490 |
if the response is stale, a proxy cache MUST first |
| 491 |
revalidate it with the origin server, using the |
| 492 |
request-headers from the new request to allow the |
| 493 |
origin server to authenticate the new request. |
| 494 |
|
| 495 |
This paragraph |
| 496 |
|
| 497 |
2. If the response includes the "must-revalidate" |
| 498 |
Cache-Control directive, the cache MAY use that |
| 499 |
response in replying to a subsequent request, but |
| 500 |
all caches MUST first revalidate it with the origin |
| 501 |
server, using the request-headers from the new |
| 502 |
request to allow the origin server to authenticate |
| 503 |
the new request. |
| 504 |
|
| 505 |
should become |
| 506 |
|
| 507 |
2. If the response includes the "must-revalidate" |
| 508 |
Cache-Control directive, the cache MAY use that |
| 509 |
response in replying to a subsequent request, but |
| 510 |
if the response is stale, all caches MUST first |
| 511 |
revalidate it with the origin server, using the |
| 512 |
request-headers from the new request to allow the |
| 513 |
origin server to authenticate the new request. |
| 514 |
Mogul [Page 9] |
| 515 |
� |
| 516 |
Internet-Draft HTTP proxy revalidation 27 May 1997 17:59 |
| 517 |
|
| 518 |
|
| 519 |
Additionally, RFC2069 [2] and RFCXXXX [3] should probably be modified |
| 520 |
to suggest the use of ``s-maxage=0'' and/or ``max-age=0, |
| 521 |
must-revalidate'' to force proxies to revalidate a response. |
| 522 |
|
| 523 |
|
| 524 |
5 Security Considerations |
| 525 |
|
| 526 |
The proposed Digest Access Authentication extension [2] depends upon |
| 527 |
a mechanism to force proxies to always revalidate certain responses. |
| 528 |
Whether or not the proposal in this document is adopted, the Digest |
| 529 |
Access Authentication extension requires modification to reflect the |
| 530 |
option chosen (unless the HTTP/1.1 specification is revised to make |
| 531 |
``proxy-revalidate'' apply to fresh as well as to stale responses.) |
| 532 |
|
| 533 |
|
| 534 |
6 Acknowledgements |
| 535 |
|
| 536 |
Several people contributed to my understanding of this issue, |
| 537 |
including Roy Fielding, Koen Holtman, Paul Leach, Ingrid Melve, and |
| 538 |
Anselm Baird-Smith. However, the proposal in this document is my |
| 539 |
fault alone. |
| 540 |
|
| 541 |
|
| 542 |
7 References |
| 543 |
|
| 544 |
1. Roy T. Fielding, Jim Gettys, Jeffrey C. Mogul, Henrik Frystyk |
| 545 |
Nielsen, and Tim Berners-Lee. Hypertext Transfer Protocol -- |
| 546 |
HTTP/1.1. RFC 2068, HTTP Working Group, January, 1997. |
| 547 |
|
| 548 |
2. J. Franks, P. Hallam-Baker, J. Hostetler, P. Leach, A. Luotonen, |
| 549 |
E. Sink, L. Stewart. An Extension to HTTP: Digest Access |
| 550 |
Authentication. RFC 2069, HTTP Working Group, January, 1997. |
| 551 |
|
| 552 |
3. D. Kristol, L. Montulli. HTTP State Management Mechanism. RFC |
| 553 |
2109, HTTP Working Group, February, 1997. |
| 554 |
|
| 555 |
4. J. Mogul and P. Leach. Simple Hit-Metering and Usage-Limiting |
| 556 |
for HTTP. Internet Draft draft-ietf-http-hit-metering-02.txt, HTTP |
| 557 |
Working Group, March, 1997. This is a work in progress. |
| 558 |
|
| 559 |
|
| 560 |
8 Author's address |
| 561 |
|
| 562 |
Jeffrey C. Mogul |
| 563 |
Western Research Laboratory |
| 564 |
Digital Equipment Corporation |
| 565 |
250 University Avenue |
| 566 |
Palo Alto, California, 94305, USA |
| 567 |
Email: mogul@wrl.dec.com |
| 568 |
|
| 569 |
|
| 570 |
|
| 571 |
Mogul [Page 10] |
Parent Directory
| 
Revision Log