> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef <[email protected]> wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden <[email protected] > <mailto:[email protected]>> wrote: > > >> On 18 Mar 2021, at 05:33, Andrii Deinega <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> The Cache-Control header, even with its strongest directive "no-store", is >> pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext >> Transfer Protocol: Caching). >> >> This directive is NOT a reliable or sufficient mechanism for ensuring >> privacy. In particular, malicious or compromised caches might not recognize >> or obey this directive, and communications networks might be vulnerable to >> eavesdropping. > > This quote is about privacy. Your concerns so far have been about replay > protection. TLS protects both. > >> >> Regarding TLS, I've mentioned that we don't always have the luxury to see >> what is going on with the infrastructure. A bright example would be an AS >> implemented as a serverless application and hosted by one of the cloud >> providers. > > Right, but (as I’ve said before) the same reasoning applies to a JWT too. The > infrastructure could just as easily “terminate JWS” as it currently > terminates TLS. As I keep saying, it’s much better to spend your time > ensuring end-to-end TLS than end-to-end JWT. > > That's not always possible. In some enterprises, they will have an inspection > middlebox that breaks the end-to-end TLS, e.g., ZScaler.
And if you use encrypted JWTs to work around that you’ll soon have inspection middleboxes that break end-to-end JWT. This isn’t a game we can win by adding more layers of the same solution. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
