This argument makes sense to me.
EHL: Do you have an exception in mind?
On Apr 14, 2010, at 10:15 AM, Jeroen van Bemmel wrote:
Since HTTPS is used, intermediate proxies aren't a problem. However,
a browser might store the response containing the token in
"Temporary Internet files" or similar locations, and rich clients
often use the same HTTP libraries as the browser. Since the server
cannot make any assumptions about which software is being used on
the client side, we have to assume the worst - hence 'MUST' to
reduce the chance of tokens being exposed to other programs /
malware running on the same machine
Of course this still does not guarantee that tokens don't get stored/
cached in insecure places, but it reduces the likelihood.
Regards,
Jeroen
On 13-4-2010 17:22, Eran Hammer-Lahav wrote:
Is this really a MUST?
EHL
On 4/13/10 7:23 AM, "[email protected]" <[email protected]> wrote:
All,
I think the draft should explicitly state that the Authorization
server
MUST use Cache-Control: no-store on all responses that contain tokens
or other sensitive information, since this is critical to the
security
properties of the protocol
Regards,
Jeroen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
