[OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?

Brian Campbell <bcampbell@pingidentity.com> Thu, 19 February 2015 23:48 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37CDD1A1A50 for <oauth@ietfa.amsl.com>; Thu, 19 Feb 2015 15:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rOJVaJqIUH2 for <oauth@ietfa.amsl.com>; Thu, 19 Feb 2015 15:48:23 -0800 (PST)
Received: from na3sys009aog104.obsmtp.com (na3sys009aog104.obsmtp.com [74.125.149.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB05F1A1A5A for <oauth@ietf.org>; Thu, 19 Feb 2015 15:48:21 -0800 (PST)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob104.postini.com ([74.125.148.12]) with SMTP ID DSNKVOZ2RYttjR70Yglo7UNLcULVyn4xZYAb@postini.com; Thu, 19 Feb 2015 15:48:21 PST
Received: by iecrd18 with SMTP id rd18so4047927iec.8 for <oauth@ietf.org>; Thu, 19 Feb 2015 15:48:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=QHnnCqXDWlFugDAxaHPmWsD8w5ZJq1Lqy8LMa4wwYho=; b=Hun4f0dK5BITE0cLpkosLmn4Hd6N6I1LbNqj1OeqghDJmO+q13yW6BEG4gZjhlG2Xg Zxlj24ji/nxfokMxqzQWPHlEnGUz+vakP9xRdlhoz64FRDKfnXGjVud2btpKLmNcOpEf K/2w6T/UwVxnUk9zkKL8JXlEh5YB9iTsFsQhlXT1h0DLOC5GQNji15Rn8gtyfD85SR64 hXxwCNrWDZtBXpu/rnrxN+RB/gLi3fNycnrGe7M5lybL3/JUK4wGfW4S+fbdB/CNt+cw cOOukjMa55KHacGpyuZnE0L0lZTalOj8iUhearoR4YhVRuCm7FZLttQJ8Dhh9AiLgEEL Gi4A==
X-Gm-Message-State: ALoCoQnns0G8AEmkzuzy7ueAYJ4p+q5NDGw/6Bn/hrsyv3SE+uDKgmy9+MeV1sY8l5aX6+ih93PYv4H304wz9X777IvYiQe8tcQh0O71eB4Wj2QGL15gSjLGEJr5Fu868hjk+jnb4paJ
X-Received: by 10.42.196.199 with SMTP id eh7mr8933853icb.1.1424389701126; Thu, 19 Feb 2015 15:48:21 -0800 (PST)
X-Received: by 10.42.196.199 with SMTP id eh7mr8933836icb.1.1424389700826; Thu, 19 Feb 2015 15:48:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.107.105 with HTTP; Thu, 19 Feb 2015 15:47:50 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 19 Feb 2015 16:47:50 -0700
Message-ID: <CA+k3eCQ+bbQV8dNtP-fe7jEjwjwseu8uvi5ebh8hW_rZ8L0wmg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=485b397dd0cd23d3c0050f79928a
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w>
Subject: [OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 23:48:25 -0000

Examples in RFC 6750 <http://tools.ietf.org/html/rfc6750> and RFC 6749
<http://tools.ietf.org/html/rfc6749> as well as some normative text in section
5.1 of RFC 6749 <http://tools.ietf.org/html/rfc6749#section-5.1> use a
"Pragma: no-cache" HTTP response header. However, both RFC 2616
<http://tools.ietf.org/html/rfc2616#section-14.32> and the shiny new RFC
7234 <https://tools.ietf.org/html/rfc7234#section-5.4> make special note
along the lines of the following to say that it doesn't work as response
header:

   'Note: Because the meaning of "Pragma: no-cache" in responses is
    not specified, it does not provide a reliable replacement for
    "Cache-Control: no-cache" in them.'


The header doesn't hurt anything, I don't think, so having it in these
documents isn't really a problem. But it seems like it'd be better to not
further perpetuate the "Pragma: no-cache" response header myth in actual
published RFCs.

So with that said, two questions:

1) Do folks agree that 6747/6750 are using the "Pragma: no-cache" response
header inappropriately?

2) If so, does this qualify as errata?