Since HTTPS is used, intermediate proxies aren't a problem. However, a
browser might store the response containing the token in "Temporary
Internet files" or similar locations, and rich clients often use the
same HTTP libraries as the browser. Since the server cannot make any
assumptions about which software is being used on the client side, we
have to assume the worst - hence 'MUST' to reduce the chance of tokens
being exposed to other programs / malware running on the same machine
Of course this still does not guarantee that tokens don't get
stored/cached in insecure places, but it reduces the likelihood.
Regards,
Jeroen
On 13-4-2010 17:22, Eran Hammer-Lahav wrote:
Is this really a MUST?
EHL
On 4/13/10 7:23 AM, "jbem...@zonnet.nl" <jbem...@zonnet.nl> wrote:
All,
I think the draft should explicitly state that the Authorization
server
MUST use Cache-Control: no-store on all responses that contain tokens
or other sensitive information, since this is critical to the security
properties of the protocol
Regards,
Jeroen
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
