How to implement the best practice "cache resources"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to implement the best practice "cache resources"

JOSE MANUEL CANTERA FONSECA

Hi all,

 

I was trying to find a recommended open source library to calculate a hash of a resource in accordance with the "cache resources by fingerprinting" bes practice. any advice, specially from the people who proposed this BP would be welcome

 

thank you

 

best r.

Reply | Threaded
Open this post in threaded view
|

Re: How to implement the best practice "cache resources"

Tom Hume
Would MD5 be a good means of doing this?

2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:

> Hi all,
>
>
>
> I was trying to find a recommended open source library to calculate a hash
> of a resource in accordance with the "cache resources by fingerprinting" bes
> practice. any advice, specially from the people who proposed this BP would
> be welcome
>
>
>
> thank you
>
>
>
> best r.



--
Future Platforms: hungry and foolish since 2000
work: [hidden email] play: tomhume.org

Reply | Threaded
Open this post in threaded view
|

RE: How to implement the best practice "cache resources"

Rotan Hanrahan
That's an interesting question. On seeing that BP for the first time I assumed the fingerprint would be derived from the metadata (mainly the HTTP headers). Certainly one could hash these to facilitate an associative lookup. The question, as posed, raises another possibility, and that is a digital signature of the entire response. Headers and payload. So now I too would like to get some clarity from the proposers.
 
As for MD5, whether used to hash only (a subset of) the headers or the entire response, there is always the possibility of "hash clash". Despite this, MD5 is still useful as a checksum, though I have my doubts about using it as the sole means of key generation for a resource cache.
 
If you want to consider an alternative, SHA-2 is worth a look. I get the impression that this is going to take over from MD5 in the near future.
 
Assuming the security of the hashing is not significant, the focus might turn to the processing efficiency. Maybe some cryptographers reading this might care to comment.
 
Finally, if you are interested in some open source crypto resources, I recommend you take a look at Bouncy Castle. ( www.bouncycastle.org )
 
---Rotan.

________________________________

From: [hidden email] on behalf of Tom Hume
Sent: Sun 24/01/2010 13:35
To: JOSE MANUEL CANTERA FONSECA
Cc: Mobile Web Best Practices Working Group WG
Subject: Re: How to implement the best practice "cache resources"



Would MD5 be a good means of doing this?

2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:

> Hi all,
>
>
>
> I was trying to find a recommended open source library to calculate a hash
> of a resource in accordance with the "cache resources by fingerprinting" bes
> practice. any advice, specially from the people who proposed this BP would
> be welcome
>
>
>
> thank you
>
>
>
> best r.



--
Future Platforms: hungry and foolish since 2000
work: [hidden email] play: tomhume.org




Reply | Threaded
Open this post in threaded view
|

Re: How to implement the best practice "cache resources"

Jo Rabin
I thought you'd do this same way as you would an ETag. But the BP does
specify a hash of the resource content, rather than something made from
the last modified date, or something. So perhaps the BP is overly
prescriptive about this.

Jo

On 24/01/2010 22:08, Rotan Hanrahan wrote:

> That's an interesting question. On seeing that BP for the first time I assumed the fingerprint would be derived from the metadata (mainly the HTTP headers). Certainly one could hash these to facilitate an associative lookup. The question, as posed, raises another possibility, and that is a digital signature of the entire response. Headers and payload. So now I too would like to get some clarity from the proposers.
>  
> As for MD5, whether used to hash only (a subset of) the headers or the entire response, there is always the possibility of "hash clash". Despite this, MD5 is still useful as a checksum, though I have my doubts about using it as the sole means of key generation for a resource cache.
>  
> If you want to consider an alternative, SHA-2 is worth a look. I get the impression that this is going to take over from MD5 in the near future.
>  
> Assuming the security of the hashing is not significant, the focus might turn to the processing efficiency. Maybe some cryptographers reading this might care to comment.
>  
> Finally, if you are interested in some open source crypto resources, I recommend you take a look at Bouncy Castle. ( www.bouncycastle.org )
>  
> ---Rotan.
>
> ________________________________
>
> From: [hidden email] on behalf of Tom Hume
> Sent: Sun 24/01/2010 13:35
> To: JOSE MANUEL CANTERA FONSECA
> Cc: Mobile Web Best Practices Working Group WG
> Subject: Re: How to implement the best practice "cache resources"
>
>
>
> Would MD5 be a good means of doing this?
>
> 2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:
>> Hi all,
>>
>>
>>
>> I was trying to find a recommended open source library to calculate a hash
>> of a resource in accordance with the "cache resources by fingerprinting" bes
>> practice. any advice, specially from the people who proposed this BP would
>> be welcome
>>
>>
>>
>> thank you
>>
>>
>>
>> best r.
>
>
>
> --
> Future Platforms: hungry and foolish since 2000
> work: [hidden email] play: tomhume.org
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

RE: How to implement the best practice "cache resources"

Scheppe, Kai-Dietrich-2
Isn't the Etag some form of hash already?

Kai


 

> -----Original Message-----
> From: Jo Rabin [mailto:[hidden email]]
> Sent: Monday, January 25, 2010 2:53 PM
> To: Rotan Hanrahan
> Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best
> Practices Working Group WG
> Subject: Re: How to implement the best practice "cache resources"
>
> I thought you'd do this same way as you would an ETag. But
> the BP does specify a hash of the resource content, rather
> than something made from the last modified date, or
> something. So perhaps the BP is overly prescriptive about this.
>
> Jo
>
> On 24/01/2010 22:08, Rotan Hanrahan wrote:
> > That's an interesting question. On seeing that BP for the
> first time I assumed the fingerprint would be derived from
> the metadata (mainly the HTTP headers). Certainly one could
> hash these to facilitate an associative lookup. The question,
> as posed, raises another possibility, and that is a digital
> signature of the entire response. Headers and payload. So now
> I too would like to get some clarity from the proposers.
> >  
> > As for MD5, whether used to hash only (a subset of) the
> headers or the entire response, there is always the
> possibility of "hash clash". Despite this, MD5 is still
> useful as a checksum, though I have my doubts about using it
> as the sole means of key generation for a resource cache.
> >  
> > If you want to consider an alternative, SHA-2 is worth a
> look. I get the impression that this is going to take over
> from MD5 in the near future.
> >  
> > Assuming the security of the hashing is not significant,
> the focus might turn to the processing efficiency. Maybe some
> cryptographers reading this might care to comment.
> >  
> > Finally, if you are interested in some open source crypto
> resources, I recommend you take a look at Bouncy Castle. (
> www.bouncycastle.org )
> >  
> > ---Rotan.
> >
> > ________________________________
> >
> > From: [hidden email] on behalf of Tom Hume
> > Sent: Sun 24/01/2010 13:35
> > To: JOSE MANUEL CANTERA FONSECA
> > Cc: Mobile Web Best Practices Working Group WG
> > Subject: Re: How to implement the best practice "cache resources"
> >
> >
> >
> > Would MD5 be a good means of doing this?
> >
> > 2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:
> >> Hi all,
> >>
> >>
> >>
> >> I was trying to find a recommended open source library to
> calculate a hash
> >> of a resource in accordance with the "cache resources by
> fingerprinting" bes
> >> practice. any advice, specially from the people who
> proposed this BP would
> >> be welcome
> >>
> >>
> >>
> >> thank you
> >>
> >>
> >>
> >> best r.
> >
> >
> >
> > --
> > Future Platforms: hungry and foolish since 2000
> > work: [hidden email] play: tomhume.org
> >
> >
> >
> >
>
>

Reply | Threaded
Open this post in threaded view
|

Re: How to implement the best practice "cache resources"

Jo Rabin
Yes, but not necessarily of the content, which is what the BP specifies.

Jo

On 25/01/2010 13:58, Scheppe, Kai-Dietrich wrote:

> Isn't the Etag some form of hash already?
>
> Kai
>
>
>  
>
>> -----Original Message-----
>> From: Jo Rabin [mailto:[hidden email]]
>> Sent: Monday, January 25, 2010 2:53 PM
>> To: Rotan Hanrahan
>> Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best
>> Practices Working Group WG
>> Subject: Re: How to implement the best practice "cache resources"
>>
>> I thought you'd do this same way as you would an ETag. But
>> the BP does specify a hash of the resource content, rather
>> than something made from the last modified date, or
>> something. So perhaps the BP is overly prescriptive about this.
>>
>> Jo
>>
>> On 24/01/2010 22:08, Rotan Hanrahan wrote:
>>> That's an interesting question. On seeing that BP for the
>> first time I assumed the fingerprint would be derived from
>> the metadata (mainly the HTTP headers). Certainly one could
>> hash these to facilitate an associative lookup. The question,
>> as posed, raises another possibility, and that is a digital
>> signature of the entire response. Headers and payload. So now
>> I too would like to get some clarity from the proposers.
>>>  
>>> As for MD5, whether used to hash only (a subset of) the
>> headers or the entire response, there is always the
>> possibility of "hash clash". Despite this, MD5 is still
>> useful as a checksum, though I have my doubts about using it
>> as the sole means of key generation for a resource cache.
>>>  
>>> If you want to consider an alternative, SHA-2 is worth a
>> look. I get the impression that this is going to take over
>> from MD5 in the near future.
>>>  
>>> Assuming the security of the hashing is not significant,
>> the focus might turn to the processing efficiency. Maybe some
>> cryptographers reading this might care to comment.
>>>  
>>> Finally, if you are interested in some open source crypto
>> resources, I recommend you take a look at Bouncy Castle. (
>> www.bouncycastle.org )
>>>  
>>> ---Rotan.
>>>
>>> ________________________________
>>>
>>> From: [hidden email] on behalf of Tom Hume
>>> Sent: Sun 24/01/2010 13:35
>>> To: JOSE MANUEL CANTERA FONSECA
>>> Cc: Mobile Web Best Practices Working Group WG
>>> Subject: Re: How to implement the best practice "cache resources"
>>>
>>>
>>>
>>> Would MD5 be a good means of doing this?
>>>
>>> 2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> I was trying to find a recommended open source library to
>> calculate a hash
>>>> of a resource in accordance with the "cache resources by
>> fingerprinting" bes
>>>> practice. any advice, specially from the people who
>> proposed this BP would
>>>> be welcome
>>>>
>>>>
>>>>
>>>> thank you
>>>>
>>>>
>>>>
>>>> best r.
>>>
>>>
>>> --
>>> Future Platforms: hungry and foolish since 2000
>>> work: [hidden email] play: tomhume.org
>>>
>>>
>>>
>>>
>>

Reply | Threaded
Open this post in threaded view
|

RE: How to implement the best practice "cache resources"

Rotan Hanrahan
In reply to this post by Scheppe, Kai-Dietrich-2
Etag [1] doesn't have to be a hash, though some servers implement it
that way. Could be a hash of the content, or of metadata describing the
content (including a timestamp) or all of this. Or maybe even none, as
it might be no more than a uniformly increasing version number, or
something similar. It indicates that something has changed, but the
scope of the context of this assessment is limited to what is visible to
the server. If you are an intermediate proxy, then you might have a
slightly different view of the context, and hence your interpretation of
"changed" might differ. This is subtly different from the validation
mechanism [2] originally envisaged, which said nothing about a resource
being perceived differently depending on the delivery context. The
assumption has been the traditional "one resource, one representation".
Etag does not differentiate between a change of the resource or a change
of its representation.

So, I suggest that Etag alone might not be sufficient for every
proxy/cache situation, and that gathering some more fingerprints might
be necessary. Whether or not one needs to fingerprint the entire
payload, I'm not sure, but I'd like to avoid that overhead if possible.
Maybe this is just too much for a blanket BP to cover?

---Rotan.

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.19
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.3.3



-----Original Message-----
From: Scheppe, Kai-Dietrich [mailto:[hidden email]]
Sent: 25 January 2010 13:58
To: Jo Rabin; Rotan Hanrahan
Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best Practices
Working Group WG
Subject: RE: How to implement the best practice "cache resources"

Isn't the Etag some form of hash already?

Kai


 

> -----Original Message-----
> From: Jo Rabin [mailto:[hidden email]]
> Sent: Monday, January 25, 2010 2:53 PM
> To: Rotan Hanrahan
> Cc: Tom Hume; JOSE MANUEL CANTERA FONSECA; Mobile Web Best
> Practices Working Group WG
> Subject: Re: How to implement the best practice "cache resources"
>
> I thought you'd do this same way as you would an ETag. But
> the BP does specify a hash of the resource content, rather
> than something made from the last modified date, or
> something. So perhaps the BP is overly prescriptive about this.
>
> Jo
>
> On 24/01/2010 22:08, Rotan Hanrahan wrote:
> > That's an interesting question. On seeing that BP for the
> first time I assumed the fingerprint would be derived from
> the metadata (mainly the HTTP headers). Certainly one could
> hash these to facilitate an associative lookup. The question,
> as posed, raises another possibility, and that is a digital
> signature of the entire response. Headers and payload. So now
> I too would like to get some clarity from the proposers.
> >  
> > As for MD5, whether used to hash only (a subset of) the
> headers or the entire response, there is always the
> possibility of "hash clash". Despite this, MD5 is still
> useful as a checksum, though I have my doubts about using it
> as the sole means of key generation for a resource cache.
> >  
> > If you want to consider an alternative, SHA-2 is worth a
> look. I get the impression that this is going to take over
> from MD5 in the near future.
> >  
> > Assuming the security of the hashing is not significant,
> the focus might turn to the processing efficiency. Maybe some
> cryptographers reading this might care to comment.
> >  
> > Finally, if you are interested in some open source crypto
> resources, I recommend you take a look at Bouncy Castle. (
> www.bouncycastle.org )
> >  
> > ---Rotan.
> >
> > ________________________________
> >
> > From: [hidden email] on behalf of Tom Hume
> > Sent: Sun 24/01/2010 13:35
> > To: JOSE MANUEL CANTERA FONSECA
> > Cc: Mobile Web Best Practices Working Group WG
> > Subject: Re: How to implement the best practice "cache resources"
> >
> >
> >
> > Would MD5 be a good means of doing this?
> >
> > 2010/1/21 JOSE MANUEL CANTERA FONSECA <[hidden email]>:
> >> Hi all,
> >>
> >>
> >>
> >> I was trying to find a recommended open source library to
> calculate a hash
> >> of a resource in accordance with the "cache resources by
> fingerprinting" bes
> >> practice. any advice, specially from the people who
> proposed this BP would
> >> be welcome
> >>
> >>
> >>
> >> thank you
> >>
> >>
> >>
> >> best r.
> >
> >
> >
> > --
> > Future Platforms: hungry and foolish since 2000
> > work: [hidden email] play: tomhume.org
> >
> >
> >
> >
>
>