Network Working Group M. Nottingham
Internet-Draft February 21, 2002
Expires: August 22, 2002
HTTP Authentication Credential Caching Extension
draft-nottingham-http-auth-cache-00
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 22, 2002.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This note proposes an HTTP cache-control extension mechanism that
allows caching of authentication credentials, thereby allowing
authenticated resources to be served from cache without incurring the
cost of a round-trip to the origin server more than once during the
freshness lifetime of the credentials.
Nottingham Expires August 22, 2002 [Page 1]
Internet-Draft HTTP Credential Caching February 2002
1. Introduction
HTTP [2] allows messages which are subject to authentication (such as
that defined by RFC2617 [3]) to be cached when certain directives are
present. In particular, Section 14.8 of RFC2616 says:
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless
one of the following specific exceptions holds:
1. If the response includes the s-maxage cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the
origin server, using the request-headers from the new
request to allow the origin server to authenticate the new
request. (This is the defined behavior for s-maxage.) If
the response includes s-maxage= 0 , the proxy MUST always
revalidate it before re-using it.
2. If the response includes the must-revalidate cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all
caches MUST first revalidate it with the origin server,
using the request-headers from the new request to allow the
origin server to authenticate the new request.
3. If the response includes the public cache-control
directive, it MAY be returned in reply to any subsequent
request.
The most useful approach here is that described in the end of #1,
whereby a cache keeps the response, but revalidates new requests
before serving it (Note that this can also be effected by use of a
combination of the 'public' and 'max-age' cache-control directives).
This is useful for caching large representations (e.g., distributed
binary programs, PDF files); the efficiency of the cache hit offsets
the cost of going back to the origin server to authenticate the
request. It is less useful for caching of smaller representations
(such as images or HTML pages), because the efficiency gained from
the cache does not overcome the latency introduced by the round trip
to the origin server.
This note proposes an HTTP cache-control extension directive that
allows caching of authentication credentials, thereby allowing
authenticated resources to be served from cache without incurring the
Nottingham Expires August 22, 2002 [Page 2]
Internet-Draft HTTP Credential Caching February 2002
cost of a round-trip to the origin server more than once during the
freshness lifetime of the credentials.
Please direct comments to the HTTP-WG mailing list, http-
wg@cuckoo.hpl.hp.com.
1.1 Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
An implementation is not compliant if it fails to satisfy one or more
of the MUST or REQUIRED level requirements. An implementation that
satisfies all the MUST or REQUIRED level and all the SHOULD level
requirements is said to be "unconditionally compliant"; one that
satisfies all the MUST level requirements but not all the SHOULD
level requirements is said to be "conditionally compliant".
2. The Auth-Cache Cache-Control Extension Directive
The auth-realm cache-control directive allows caches to serve an
authenticated response without validation on the origin server under
controlled conditions.
auth-cache = "auth-cache" [ "=" delta-seconds ]
When a shared cache receives a request containing an Authorization
field, it MAY return the corresponding response as a reply to a
subsequent request, if all of the following conditions hold;
1. The auth-cache cache-control extension is present in the (cached)
response.
2. The cached response credentials' realm matches that presented in
the request, and the cached response and the Request-URI have the
same canonical root URL (as defined by RFC2617, Section 1.2).
3. The presented credentials match the stored authentication state.
4. The response is fresh, according to its normal (non-
authenticated) HTTP freshness lifetime.
5. The cached credentials are fresh, as outlined below.
By default, the freshness lifetime of the stored credentials is equal
to that of the cached response. However, if the auth-cache directive
includes a value, it is interpreted as the cached credentials'
Nottingham Expires August 22, 2002 [Page 3]
Internet-Draft HTTP Credential Caching February 2002
freshness lifetime.
Implementations MUST generate 401 Authentication Required HTTP
responses and WWW-Authenticate headers when requests for such
resources do not present appropriate credentials.
3. Example
For example, if a shared cache contains a response for the URI http:/
/www.example.org/resource which includes the following response
headers:
Cache-Control: max-age=86400, auth-cache
WWW-Authenticate: Basic realm="WallyWorld"
This cached response can be served without validation, if:
o the request includes credentials that are valid for http://
www.example.org
o the request includes credentials with the realm 'WallyWorld'
o the credentials have been validated on the origin server in the
last day
o the response is fresh (i.e., has been validated on or directly
fetched from the origin server in the last day)
Note that the cached credentials may have been associated with a
different resource (e.g., http://www.example.org/Another/resource).
If the auth-cache directive included a value, for example:
Cache-Control: max-age=86400, auth-cache=3600
WWW-Authenticate: Basic realm="WallyWorld"
the same constraints would apply, except that the cached credentials
would need to be one hour or fresher.
4. Security Considerations
Authentication caching is vulnerable in the same ways as normal HTTP
authentication (as explained in RFC2616 and RFC2617), with the added
risk inherent in delegating authority for authentication to another
device or administrative domain, as applicable.
Additionally, the use of cached credentials introduces the
possibility of a replay attack, sometimes in cases where there may
Nottingham Expires August 22, 2002 [Page 4]
Internet-Draft HTTP Credential Caching February 2002
not have been such a risk previously. In particular, cached
credentials SHOULD NOT be used in conjunction with Digest
authentication, as doing so seriously weakens its security.
It should be noted that if the auth-cache directive is implemented by
multiple devices in a chain of caches (e.g., hierarchical caching
proxies), the cached credentials in some caches may in fact be older
than the specified freshness lifetime. This issue may be addressed
in future revisions of this note.
References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997.
[2] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -
HTTP/1.1", RFC 2616, June 1999.
[3] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A. and L. Stewart, "HTTP Authentication:
Basic and Digest Access Authentication", RFC 2617, June 1999.
Author's Address
Mark Nottingham
EMail: mnot@pobox.com
URI: http://www.mnot.net/
Nottingham Expires August 22, 2002 [Page 5]
Internet-Draft HTTP Credential Caching February 2002
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Nottingham Expires August 22, 2002 [Page 6]