Re: [OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?

John Bradley <ve7jtb@ve7jtb.com> Tue, 24 February 2015 18:15 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E441A876E for <oauth@ietfa.amsl.com>; Tue, 24 Feb 2015 10:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ne0R6WJiRlh0 for <oauth@ietfa.amsl.com>; Tue, 24 Feb 2015 10:15:18 -0800 (PST)
Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1B6C1A1B59 for <oauth@ietf.org>; Tue, 24 Feb 2015 10:15:17 -0800 (PST)
Received: by mail-qa0-f46.google.com with SMTP id n4so28450652qaq.5 for <oauth@ietf.org>; Tue, 24 Feb 2015 10:15:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zJsOWdxQUfOAy9JY2e+1JhYjzsxP0lg/C6hGHdHqFHk=; b=Dp75Nn4l7orC5NKhG1Q6FXJgNKnWN855MYMBQtcfyNf8LFkA7JsbNB8L+Bi7qXhygg pb+RYD7wklbKV9d901rcCjb6uvh0h6jjU2wngHMOvxnhxnxcoqV9EpwKfMguG1X2pIGa dtI0CE/H+psDzoyvZGs4RX56czGul+uBLo/wBCSyMH7EsAZlsEZMqFII0it7VzERZU98 6wDLvC3uw+0YB4e/Vx1NporFM2DxB4+W/uG/XADoL68dFIRX5BpTMmbmDbGusooxMIqo zXgAa7Zl5lxL6+KEMEXyFm7vF5vYR4QvziJ+RsM8I+51irpbAD1vIyhn/FTKDKJZVyEB ILDA==
X-Gm-Message-State: ALoCoQmV0zerVpdnM6Nns+Tl7QcoClPvwltu9okyC41fW9FswwWZPCit9us/O4naEXOcFbH0mkrJ
X-Received: by 10.140.151.65 with SMTP id 62mr38443589qhx.73.1424801717094; Tue, 24 Feb 2015 10:15:17 -0800 (PST)
Received: from [10.2.2.171] (PING-IDENTI.bar1.Boston1.Level3.net. [4.31.154.18]) by mx.google.com with ESMTPSA id j94sm29924052qgd.47.2015.02.24.10.15.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Feb 2015 10:15:16 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_E7FC654D-F796-4D18-B7BC-FA2B516F087A"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCQ+bbQV8dNtP-fe7jEjwjwseu8uvi5ebh8hW_rZ8L0wmg@mail.gmail.com>
Date: Tue, 24 Feb 2015 13:15:15 -0500
Message-Id: <B07D3115-BC4E-44C5-939C-3B2AD4D2EE2C@ve7jtb.com>
References: <CA+k3eCQ+bbQV8dNtP-fe7jEjwjwseu8uvi5ebh8hW_rZ8L0wmg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/UmN9zRe0kbK59lte4x8HnLkBXkw>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 18:15:20 -0000

Yes, so we should track it but I don’t think it rises to the level of an errata on its own. 
> On Feb 19, 2015, at 6:47 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> Examples in RFC 6750 <http://tools.ietf.org/html/rfc6750> and RFC 6749 <http://tools.ietf.org/html/rfc6749> as well as some normative text in section 5.1 of RFC 6749 <http://tools.ietf.org/html/rfc6749#section-5.1> use a "Pragma: no-cache" HTTP response header. However, both RFC 2616 <http://tools.ietf.org/html/rfc2616#section-14.32> and the shiny new RFC 7234 <https://tools.ietf.org/html/rfc7234#section-5.4> make special note along the lines of the following to say that it doesn't work as response header:
> 
>    'Note: Because the meaning of "Pragma: no-cache" in responses is
>     not specified, it does not provide a reliable replacement for
>     "Cache-Control: no-cache" in them.'
> 
> The header doesn't hurt anything, I don't think, so having it in these documents isn't really a problem. But it seems like it'd be better to not further perpetuate the "Pragma: no-cache" response header myth in actual published RFCs.
> 
> So with that said, two questions:
> 
> 1) Do folks agree that 6747/6750 are using the "Pragma: no-cache" response header inappropriately? 
> 
> 2) If so, does this qualify as errata?
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth