> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden <neil.mad...@forgerock.com > <mailto:neil.mad...@forgerock.com>> wrote: > > >> On 18 Mar 2021, at 05:33, Andrii Deinega <andrii.dein...@gmail.com >> <mailto:andrii.dein...@gmail.com>> wrote: >> >> >> The Cache-Control header, even with its strongest directive "no-store", is >> pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext >> Transfer Protocol: Caching). >> >> This directive is NOT a reliable or sufficient mechanism for ensuring >> privacy. In particular, malicious or compromised caches might not recognize >> or obey this directive, and communications networks might be vulnerable to >> eavesdropping. > > This quote is about privacy. Your concerns so far have been about replay > protection. TLS protects both. > >> >> Regarding TLS, I've mentioned that we don't always have the luxury to see >> what is going on with the infrastructure. A bright example would be an AS >> implemented as a serverless application and hosted by one of the cloud >> providers. > > Right, but (as I’ve said before) the same reasoning applies to a JWT too. The > infrastructure could just as easily “terminate JWS” as it currently > terminates TLS. As I keep saying, it’s much better to spend your time > ensuring end-to-end TLS than end-to-end JWT. > > That's not always possible. In some enterprises, they will have an inspection > middlebox that breaks the end-to-end TLS, e.g., ZScaler.
And if you use encrypted JWTs to work around that you’ll soon have inspection middleboxes that break end-to-end JWT. This isn’t a game we can win by adding more layers of the same solution. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
