Re: [OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?

Brian Campbell <bcampbell@pingidentity.com> Tue, 24 February 2015 18:00 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DDF1A1BFA for <oauth@ietfa.amsl.com>; Tue, 24 Feb 2015 10:00:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_IMAGE_ONLY_24=1.618, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9lC2342-FxQ for <oauth@ietfa.amsl.com>; Tue, 24 Feb 2015 10:00:24 -0800 (PST)
Received: from na3sys009aog133.obsmtp.com (na3sys009aog133.obsmtp.com [74.125.149.82]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB4F71A1B9E for <oauth@ietf.org>; Tue, 24 Feb 2015 10:00:23 -0800 (PST)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob133.postini.com ([74.125.148.12]) with SMTP ID DSNKVOy8N/6/ycUcc6fqitfPGEQ0QUHMMiPD@postini.com; Tue, 24 Feb 2015 10:00:23 PST
Received: by iecar1 with SMTP id ar1so34189690iec.11 for <oauth@ietf.org>; Tue, 24 Feb 2015 10:00:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=pBvdEcDYONyd8MyElsUAk44nA/K95Z3h/tjt2ydivXM=; b=KYylEXszDapzUzfm3umjdtBY+EQ/LYx7tWRQ9ztzgyhV+h9OScGwZZnttWPg3uQNX1 pzMbzVNJ3fyt7WJCeu9VgcT/rF9kvo11qiZF91rjH+g42fe5sKTznLyI4iBugt5gGzkg lSmwWDwFuq9GooV47Hlo2EZjONG3nZ9NrQH0w4FcZkZAEFG/7cGZQfrNqHxMAGNspTp8 zNSKNAh85PhPHea/EwyzO6EhDa1tIICceRUs0jjZvp6J7Zb7Ue78cYP/yYbMa6PXc24l tGhM3HLfgxM22dLHNbnC7rGR4tz4ixL3TuA+OF8lqxKfmF3n7/2CjsJZEeNqM/ZPuTCK ifmA==
X-Gm-Message-State: ALoCoQm5ruAVF4U34JasW1KX4nlrXCzieFjJnq63/O9H2lv2iYRaFSff+KbMAjgGPa8jXsbnlYMDcKzJfdi6RBQYQXrc6afu5I610/V7mJMUcdsDhRV9yUfLALK4AHJSdAAekB20IphW
X-Received: by 10.42.113.2 with SMTP id a2mr18977373icq.30.1424800822673; Tue, 24 Feb 2015 10:00:22 -0800 (PST)
X-Received: by 10.42.113.2 with SMTP id a2mr18977359icq.30.1424800822531; Tue, 24 Feb 2015 10:00:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.54.98 with HTTP; Tue, 24 Feb 2015 09:59:52 -0800 (PST)
In-Reply-To: <CA+k3eCQ+bbQV8dNtP-fe7jEjwjwseu8uvi5ebh8hW_rZ8L0wmg@mail.gmail.com>
References: <CA+k3eCQ+bbQV8dNtP-fe7jEjwjwseu8uvi5ebh8hW_rZ8L0wmg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 24 Feb 2015 10:59:52 -0700
Message-ID: <CA+k3eCR356zPhnt8xvETWUJyjOrEzvGiKQ5j3HJsj_Yu=paVcg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a11c3e82ae75954050fd94a43
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hurgOlzGl80TdXvSc0BXUbjqJX4>
Subject: Re: [OAUTH-WG] Improper use of 'Pragma: no-cache' response header in OAuth 2.0 RFCs?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 18:00:26 -0000

I know it's kind of a trivial issue but I was hoping that at least a couple
people would either agree with me or explain why I'm wrong.


On Thu, Feb 19, 2015 at 4:47 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Examples in RFC 6750 <http://tools.ietf.org/html/rfc6750> and RFC 6749
> <http://tools.ietf.org/html/rfc6749> as well as some normative text in section
> 5.1 of RFC 6749 <http://tools.ietf.org/html/rfc6749#section-5.1> use a
> "Pragma: no-cache" HTTP response header. However, both RFC 2616
> <http://tools.ietf.org/html/rfc2616#section-14.32> and the shiny new RFC
> 7234 <https://tools.ietf.org/html/rfc7234#section-5.4> make special note
> along the lines of the following to say that it doesn't work as response
> header:
>
>    'Note: Because the meaning of "Pragma: no-cache" in responses is
>     not specified, it does not provide a reliable replacement for
>     "Cache-Control: no-cache" in them.'
>
>
> The header doesn't hurt anything, I don't think, so having it in these
> documents isn't really a problem. But it seems like it'd be better to not
> further perpetuate the "Pragma: no-cache" response header myth in actual
> published RFCs.
>
> So with that said, two questions:
>
> 1) Do folks agree that 6747/6750 are using the "Pragma: no-cache" response
> header inappropriately?
>
> 2) If so, does this qualify as errata?
>