Cache and Authentication
When can responses to autheticated requests be returned to
other users?  The current draft spec includes a statement
that if the request includes Authentication: then the response
is not cachable in such a way that other users could see it. 
Proposal: if the response contains "Cache-control: public"
then this overrides that rule.
ACTION ITEM: Jeff Mogul will clarify the language regarding what
this means (in particular, what "shared" means).
Larry:
    One might consider the authenticator merely to be another item on
    which response varies; that is, 'wrong authentication' =
    authentication error and 'right authentication' = value as appropriate
    to that authenticator. It is up to the origin server to decide whether
    it cares whether proxies cache results. While the default is that the
    result varies on the authenticator and that responses cannot be
    cached, origin servers might override that default by supplying a
    response that has an Expires and a vary clause that denotes either
    that "this response does not vary on authenticator" (e.g., you may
    serve it to anyone who comes along, authenticated or no) or "this
    response does vary on authenticator" (e.g., you may serve this to any
    client that supplies the same credentials.)
    This all only makes sense for basic authentication or for clients that
    use digest authentication.
The current Vary: proposal allows you to say
"this response does NOT depend on the Authentication: request header."
This mechanism would be more general than "Cache-control: public".
http working group issues