[Openid-specs-ab] Issue #1488: certification query: checking "do not cache" response headers (openid/connect)

[panva]

New issue 1488: certification query: checking "do not cache" response headers
https://bitbucket.org/openid/connect/issues/1488/certification-query-checking-do-not-cache

Filip Skokan:

The certification suite currently enforces the presence of `pragma: no-cache` response header as well as the presence of `cache-control: no-store` \(or optionally in some tests `cache-control: no-cache, no-store`.

Going as far as [Feb 2015](https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/) Brian noted that `pragma: no-cache` has no defined meaning in HTTP responses. This has [resurfaced](https://bitbucket.org/openid/connect/issues/1483/directive-pragma-no-cache) now again with backchannel logout.

Likewise `cache-control: no-store` on its own is the strongest directive available, making `no-cache` redundant.

The proposal / question here is to make it so that the certification suite only performs `cache-control` presence assertion with a check for `no-store` directive presence in it for all scenarios where “do not cache” directives should be present. The extent of this update meets the intersection of what is incorrectly required by 6749 with what is technically correct and enough to instruct clients and intermediaries not to cache.

This **does not** mean the suite will start rejecting requests that include `no-cache` in `cache-control` or `pragma: no-cache`.

I have a PR open for this adjustment in the certification suite and @{557058:8d4e94ec-77de-477e-971f-fbc78d08d0f7} asked to have this ran by the WG.