<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">+1, this is a good balance between correctness and pragmatism.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 2, 2015, at 4:54 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" class="">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)" class="">
<style class=""><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Cambria","serif";
color:#243F60;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="blue" vlink="purple" class="">
<div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">I think this is where we are:<o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></p><p class="MsoNormal" style="margin-left:.5in">Add this normative text:<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal" style="margin-left:1.0in">"Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the User Agent (and any intermediaries) not to store or reuse the content of the response."<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal" style="margin-left:.5in">Use these directives in the example:<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal" style="margin-left:1.0in"><span style="font-family:"Courier New"" class="">Cache-Control: no-cache, no-store<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin-left:1.0in"><span style="font-family:"Courier New"" class="">Pragma: no-cache</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""><o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Let’s close on the text to use during the call in just over an hour. Talk to you soon…<o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> -- Mike<o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> Brian Campbell [<a href="mailto:bcampbell@pingidentity.com" class="">mailto:bcampbell@pingidentity.com</a>]
<br class="">
<b class="">Sent:</b> Monday, March 02, 2015 1:46 PM<br class="">
<b class="">To:</b> Mike Jones<br class="">
<b class="">Cc:</b> John Bradley; Breno de Medeiros; <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>><br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'<o:p class=""></o:p></span></p><p class="MsoNormal"><o:p class=""> </o:p></p>
<div class=""><p class="MsoNormal">Though I still prefer that any normative text be somewhat general and avoid mandating specif headers or values. There was one such (rough) proposal for text earlier in this thread.
<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal"><o:p class=""> </o:p></p>
<div class=""><p class="MsoNormal">On Mon, Mar 2, 2015 at 2:29 PM, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>> wrote:<o:p class=""></o:p></p>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="margin-bottom:12.0pt">Yeah, I guess I was hoping that some of the messiness of the internet was old enough that it didn't have to be in new specs. But that was likely silly.<o:p class=""></o:p></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt">If we go with Mike's proposal, the example would have a "no-cache" directive added to the "Cache-Control" response header. And the "Pragma: no-cache" stays. *sigh*<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal"><o:p class=""> </o:p></p>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><o:p class=""> </o:p></p>
<div class=""><p class="MsoNormal">On Sat, Feb 28, 2015 at 7:00 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>> wrote:<o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">In the example, I propose that we go with the directives that Google uses in practice. At least
we have the weight of their data and usage behind this choice.</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> -- Mike</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
<div class="">
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> Openid-specs-ab [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" class="">openid-specs-ab-bounces@lists.openid.net</a>]
<b class="">On Behalf Of </b>John Bradley<br class="">
<b class="">Sent:</b> Friday, February 27, 2015 2:48 PM<br class="">
<b class="">To:</b> Breno de Medeiros<br class="">
<b class="">Cc:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>></span><o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal"><br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'<o:p class=""></o:p></p>
</div>
</div>
</div>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Yes that was what I was trying to say on the call. From my recollection of working with caches you still need to send the HTTP 1.0 Pragma: no-cache as some will ignore the HTTP
1.1.<o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There are cable and satellite, and Christian/Children content filtering proxies who I recall can be the worst.<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You are correct that it is not the right way to do it in HTTP 1.1, however in HTTP 1.0 the behaviour was unspecified for Pragma: no-cache in the response header. <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Most caches ignore it but some will honour it and ignore the others.<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I don’t know that there is a completely correct answer for a messy internet.<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">John B.<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Feb 27, 2015, at 10:28 PM, Breno de Medeiros <<a href="mailto:breno@google.com" target="_blank" class="">breno@google.com</a>> wrote:<o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Fri, Feb 27, 2015 at 1:15 PM, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Thanks Breno,</span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">I see you've got "Pragma: no-cache" there, which according to both <a href="http://tools.ietf.org/html/rfc2616#section-14.32" target="_blank" class="">RFC
2616</a> and <a href="https://tools.ietf.org/html/rfc7234#section-5.4" target="_blank" class="">RFC 7234</a> isn't defined for the response and isn't reliable for anti-caching. Having read that is what led me to bringing this thread up in the first place. But I generally
assume that Google knows what they're doing so I have to ask - do you know why that particular one is being used? </span><o:p class=""></o:p></p>
</div>
</div>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">I am not an expert on caching, but my understanding is that nearly all clients compliant with HTTP 1.1 will process
the 'modern' caching directive on the cache-control entry and ignore pragma that comes later. However, there are transparent caching proxies (or there used to be until uncomfortably recently, specially in some regions of the world) that are not actually HTTP
1.1 compliant (but allow the declaration from the downstream client to be asserted, which they need to in any case). These very old and bizarre proxies don't process correctly the cache-control directive, but obey the older (HTTP 1.0) pragma directive, which
is better than nothing.</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt" class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Thu, Feb 26, 2015 at 7:45 PM, Breno de Medeiros <<a href="mailto:breno@google.com" target="_blank" class="">breno@google.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">FWIW, the cache headers returned for some Google sensitive pages are:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Cache-control: no-cache, no-store</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Pragma: no-cache</span><o:p class=""></o:p></p>
</div>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">The answer to the questions are yes and yes (where the first 'yes' should mean to say 'modify the headers to a
commonly agreed value that has clearer no-caching semantics').</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Thu, Feb 26, 2015 at 3:51 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">If you can change "sensitive" to something else, I would be fine. "Sensitive" has some connotation in the field
of privacy and I do not want confusion there. </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">2015-02-26 23:28 GMT+09:00 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>>:</span><o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">I'm fine with not wanting to use the word 'sensitive' but the text you proposed doesn't seem quite right.<br class="">
<br class="">
While the "no-store" definition does mention non-volatile storage, it also talks about volatile storage and, as I read it, pretty much says don't store any part of the response or associated request, ever. From the text, quoted again below, I don't see how
"no-store" is possibly insufficient. </span><o:p class=""></o:p></p>
<h5 style="margin-left:30.0pt" class=""><a name="14bdc653687b00a0_14bd311aac0595f4_14bcce" class=""></a><a href="https://tools.ietf.org/html/rfc7234#section-5.2.2.3" target="_blank" class=""><span style="font-family:"Courier New"" class="">5.2.2.3</span></a><span style="font-family:"Courier New"" class="">.
no-store</span><o:p class=""></o:p></h5>
<pre style="margin-left:30.0pt" class=""> <o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> The "no-store" response directive indicates that a cache MUST NOT<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> store any part of either the immediate request or response. This<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> directive applies to both private and shared caches. "MUST NOT<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> store" in this context means that the cache MUST NOT intentionally<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> store the information in non-volatile storage, and MUST make a<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> best-effort attempt to remove the information from volatile storage<o:p class=""></o:p></pre>
<pre style="margin-left:30.0pt" class=""> as promptly as possible after forwarding it.<o:p class=""></o:p></pre><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Based on the text in the spec, I'm having a hard time understanding the push back on using "no-store".</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">From a practical perspective, however, I am not well versed in what browsers and intermediate caches actual do
and don't honor well. Generally, when I want to prevent something from being cached, I throw a bunch of anti-caching directives at the response and it just works out. To your point earlier, that kind of thing isn't exactly appropriate for normative text. Note
also that there's not a implementation considerations section in this doc and we're trying to make only very small changes at this point.</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">As a compromise, of sorts, what about some text like this:</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div style="margin-left:30.0pt" class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">"Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the
User Agent (and any intermediaries) not to store or reuse the content of the response."</span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">And then, in the non-normative example, just throw in the whole kitchen sink of cache prevention headers like:</span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div style="margin-left:30.0pt" class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Courier New"" class="">Cache-Control: no-cache, no-store, max-age=0, must-revalidate, private <br class="">
Expires: Thu, 01 Jan 1970 00:00:00 GMT</span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">?</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Tue, Feb 24, 2015 at 5:41 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Thanks Brian. </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">A friendly amendment to your proposed change: </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Rationale</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">-----------------</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">'sensitive' is either undefined or has other connotation especially in the privacy realm, thus it probably is
better to avoid the word in this particular case. </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Also, "no-store" in our case is insufficient as cache control because it is just concerned with a non-volatile
storage. </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Proposal</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">--------------</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Change: </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Because the Authorization Response contains sensitive information, the Authorization Server MUST include the HTTP
"Cache-Control" response header field [RFC2616] with a value of "no-store" in the response.</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif"" class="">To: </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Because the Authorization Response contains the information that cannot be re-used, the Authorization Server MUST
include the HTTP "Cache-Control" response header field [RFC7234] with values "no-cache" in the response. </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">I have a slight concern about "no-cache" implementation state as RFC7234 says that it is not obeyed in some caches. </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">"no-cache" is semantically equivalent to , "max-age=0, must-revalidate". Perhaps it may be better to add that
in practice, but it seems it is inappropriate to have it in a normative text. Perhaps a note in an implementation consideration may be good. </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Nat</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">2015-02-25 0:15 GMT+09:00 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>>:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">And it just (re)occurred to me that RFC 2616 has been obsoleted. So the reference in the text that I proposed in the
last message should probably be to RFC 7234 rather than RFC 2616. Also the current reference in the Form Post Response Mode to RFC 2616 for the "User Agent" term should probably be updated to RFC 7230.</span><o:p class=""></o:p></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Tue, Feb 24, 2015 at 8:03 AM, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">I think it'd be okay to have the "no-cache" directive the example as well, if folks are keen on that. But it doesn't
replace "no-store". The example could have both like, "Cache-Control: no-cache, no-store". I don't think it's necessary as "no-store" is the stricter but I think it's okay to have it there too. <br class="">
<br class="">
On the <a href="http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150223/005280.html" target="_blank" class="">call yesterday</a> I asked if folks thought there should also be normative text in the Form Post Response Mode doc about not caching the authorization
response containing the auto-submitting HTML form. There's some text in <a href="http://tools.ietf.org/html/rfc6749#section-5.1" target="_blank" class="">§5.1 of RFC 6749 / <span style="background:white" class="">OAuth</span> 2.0 </a>that could be interpreted as obviating the
need for it, which says that the 'authorization server MUST include the HTTP "Cache-Control" response header field [RFC2616] with a value of "no-store" in any response containing tokens, credentials, or other sensitive information'. However, that's in a section
about the token endpoint and so could also be interpreted as not applying to the authorization response from the authorization endpoint at all. Thus, I'm (sorta) proposing to add the following sentence to the end of <a href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode" target="_blank" class="">§2
of OAuth 2.0 Form Post Response Mode</a>, 'Because the Authorization Response contains sensitive information, the Authorization Server MUST include the HTTP "Cache-Control" response header field [RFC2616] with a value of "no-store" in the response.'<br class="">
<br class="">
</span><o:p class=""></o:p></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Mon, Feb 23, 2015 at 4:55 PM, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">But that text is about directives on the cache-control _request_ header. </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">The directives in question here are on the _response_. <br class="">
<br class="">
<a href="https://tools.ietf.org/html/rfc7234#section-5.2.2" target="_blank" class="">https://tools.ietf.org/html/rfc7234#section-5.2.2</a> is about the response directives. With <a href="https://tools.ietf.org/html/rfc7234#section-5.2.2.3" target="_blank" class="">https://tools.ietf.org/html/rfc7234#section-5.2.2.3</a> saying
this about "no-store",</span><o:p class=""></o:p></p>
<pre class=""> The "no-store" response directive indicates that a cache MUST NOT<o:p class=""></o:p></pre>
<pre class=""> store any part of either the immediate request or response. This<o:p class=""></o:p></pre>
<pre class=""> directive applies to both private and shared caches. "MUST NOT<o:p class=""></o:p></pre>
<pre class=""> store" in this context means that the cache MUST NOT intentionally<o:p class=""></o:p></pre>
<pre class=""> store the information in non-volatile storage, and MUST make a<o:p class=""></o:p></pre>
<pre class=""> best-effort attempt to remove the information from volatile storage<o:p class=""></o:p></pre>
<pre style="margin-bottom:12.0pt" class=""> as promptly as possible after forwarding it.<o:p class=""></o:p></pre><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">While "no-cache" at <a href="https://tools.ietf.org/html/rfc7234#section-5.2.2.2" target="_blank" class="">https://tools.ietf.org/html/rfc7234#section-5.2.2.2</a> isn't
as strong:</span><o:p class=""></o:p></p>
<pre class=""> The "no-cache" response directive indicates that the response MUST<o:p class=""></o:p></pre>
<pre class=""> NOT be used to satisfy a subsequent request without successful<o:p class=""></o:p></pre>
<pre class=""> validation on the origin server. This allows an origin server to<o:p class=""></o:p></pre>
<pre class=""> prevent a cache from using it to satisfy a request without contacting<o:p class=""></o:p></pre>
<pre class=""> it, even by caches that have been configured to send stale responses.<o:p class=""></o:p></pre><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><o:p class=""> </o:p></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">On Mon, Feb 23, 2015 at 4:39 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>> wrote:</span><o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Brian, “Cache-control: no-store” does not seem to imply “Cache-control: no-cache”. I say that because
of this sentence in 5.2.1.5 of <a href="https://tools.ietf.org/html/rfc7234#section-5.2.1" target="_blank" class="">https://tools.ietf.org/html/rfc7234#section-5.2.1</a>:</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Courier New"" class=""> Note that if a request containing this directive is satisfied from a</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Courier New"" class=""> cache, the no-store request directive does not apply to the already</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Courier New"" class=""> stored response.</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Therefore, to be safe, I believe that we have to replace the “Pragma: no-cache” in our example with
“Cache-control: no-cache”.</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Do people agree with that conclusion?</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> -- Mike</span><o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
<div class="">
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>] <br class="">
<b class="">Sent:</b> Thursday, February 19, 2015 7:19 PM<br class="">
<b class="">To:</b> Mike Jones<br class="">
<b class="">Cc:</b> Brian Campbell; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>><br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'</span><o:p class=""></o:p></p>
</div>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Yes and yes.<o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Feb 19, 2015, at 5:08 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>> wrote:<o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">First question to the working group: Do we agree that </span>"Pragma: no-cache"<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> should
be changed to </span>"Cache-Control: no-cache"<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> in the Form Post Response Mode spec before approval?</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Second question to the working group: If we agree to make this change (to text that only occurs
in a non-normative example), are people comfortable doing this without restarting the 60 day review period (but still notifying people of the change)?</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">My personal answers would be “yes” and “yes” but we shouldn’t do this at this point unless there’s
working group consensus to do so.</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Brian, could you also send a note to the OAuth working group pointing this problem with RFC 6749
and RFC 6750 and asking whether errata should be filed? This would help get more expert eyes on the issue.</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class="">Thanks for bringing this to our attention, Brian!</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> -- Mike</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" class=""> </span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> Openid-specs-ab [<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" class="">mailto:openid-specs-ab-bounces@lists.openid.net</a>] <b class="">On
Behalf Of </b>Brian Campbell<br class="">
<b class="">Sent:</b> Thursday, February 19, 2015 2:17 PM<br class="">
<b class="">To:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>><br class="">
<b class="">Subject:</b> [Openid-specs-ab] Form Post Response Mode example has 'Pragma: no-cache'</span><o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">The example response in <a href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample" target="_blank" class=""><span style="color:purple" class="">http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-03.html#FormPostResponseExample</span></a> has
a "Pragma: no-cache" response header.<o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">However both <a href="http://tools.ietf.org/html/rfc2616#section-14.32" target="_blank" class=""><span style="color:purple" class="">RFC 2616</span></a> and the shiny new <a href="https://tools.ietf.org/html/rfc7234#section-5.4" target="_blank" class=""><span style="color:purple" class="">RFC
7234</span></a> make special note along the lines of the following to say that it doesn't work as response header:<br class="">
<br class="">
<o:p class=""></o:p></p>
</div>
<pre class=""><span style="font-size:12.0pt" class=""> 'Note: Because the meaning of "Pragma: no-cache" in responses is</span><o:p class=""></o:p></pre>
<pre class=""><span style="font-size:12.0pt" class=""> not specified, it does not provide a reliable replacement for</span><o:p class=""></o:p></pre>
<pre class=""><span style="font-size:12.0pt" class=""> "Cache-Control: no-cache" in them.'</span><o:p class=""></o:p></pre><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br class="">
It doesn't really hurt anything having it in the Form Post Response Mode document but I'm thinking it'd be better to not further perpetuate the "Pragma: no-cache" response header myth in this specification* and that that line should probably be removed from
the example.<o:p class=""></o:p></p>
</div>
<div class="">
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Or am I wrong on this? And if so, what am I missing?<o:p class=""></o:p></p>
</div>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p class=""></o:p></p>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">* And, yeah, it's in Connect Core and OAuth 2.0 as well but I figured starting with a draft that wasn't yet final was good.<o:p class=""></o:p></p>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><o:p class=""></o:p></p>
</div>
</blockquote>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#888888" class="">-- </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#888888" class="">Nat Sakimura (=nat)</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#888888" class="">Chairman, OpenID Foundation<br class="">
<a href="http://nat.sakimura.org/" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en</span><o:p class=""></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">-- </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Nat Sakimura (=nat)</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Chairman, OpenID Foundation<br class="">
<a href="http://nat.sakimura.org/" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en</span><o:p class=""></o:p></p>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">-- </span><o:p class=""></o:p></p>
</div>
</div>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#888888" class="">--Breno</span><o:p class=""></o:p></p>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div>
</div>
</div>
</blockquote>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""> </span><o:p class=""></o:p></p>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">-- </span><o:p class=""></o:p></p>
<div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">--Breno</span><o:p class=""></o:p></p>
</div>
</div>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
</span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">Openid-specs-ab@lists.openid.net</span></a><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><br class="">
</span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p class=""></o:p></p>
</div>
</blockquote>
</div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p class=""></o:p></p>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p class=""></o:p></p>
</div><p class="MsoNormal"><o:p class=""> </o:p></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><o:p class=""> </o:p></p>
</div>
</div>
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>