Nope. Since HTTPS is a SHOULD I just wanted to ask. I'll add it. EHL
On Apr 14, 2010, at 10:19, "Richard Barnes" <rbar...@bbn.com> wrote: > This argument makes sense to me. > > EHL: Do you have an exception in mind? > > > > On Apr 14, 2010, at 10:15 AM, Jeroen van Bemmel wrote: > >> Since HTTPS is used, intermediate proxies aren't a problem. However, >> a browser might store the response containing the token in >> "Temporary Internet files" or similar locations, and rich clients >> often use the same HTTP libraries as the browser. Since the server >> cannot make any assumptions about which software is being used on >> the client side, we have to assume the worst - hence 'MUST' to >> reduce the chance of tokens being exposed to other programs / >> malware running on the same machine >> >> Of course this still does not guarantee that tokens don't get stored/ >> cached in insecure places, but it reduces the likelihood. >> >> Regards, >> Jeroen >> >> On 13-4-2010 17:22, Eran Hammer-Lahav wrote: >>> >>> Is this really a MUST? >>> >>> EHL >>> >>> >>> On 4/13/10 7:23 AM, "jbem...@zonnet.nl" <jbem...@zonnet.nl> wrote: >>> >>> All, >>> >>> I think the draft should explicitly state that the Authorization >>> server >>> MUST use Cache-Control: no-store on all responses that contain >>> tokens >>> or other sensitive information, since this is critical to the >>> security >>> properties of the protocol >>> >>> Regards, >>> Jeroen >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
