đź’Ż Warren Parad
Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Thu, Mar 18, 2021 at 1:07 PM Neil Madden <neil.mad...@forgerock.com> wrote: > > > On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden <neil.mad...@forgerock.com> > wrote: > >> >> >> On 18 Mar 2021, at 05:33, Andrii Deinega <andrii.dein...@gmail.com> >> wrote: >> >>  >> The Cache-Control header, even with its strongest directive "no-store", >> is pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext >> Transfer Protocol: Caching). >> >> This directive is NOT a reliable or sufficient mechanism for ensuring >>> privacy. In particular, malicious or compromised caches might not >>> recognize or obey this directive, and communications networks might be >>> vulnerable to eavesdropping. >> >> >> This quote is about privacy. Your concerns so far have been about replay >> protection. TLS protects both. >> >> >> Regarding TLS, I've mentioned that we don't always have the luxury to see >> what is going on with the infrastructure. A bright example would be an AS >> implemented as a serverless application and hosted by one of the cloud >> providers. >> >> >> Right, but (as I’ve said before) the same reasoning applies to a JWT too. >> The infrastructure could just as easily “terminate JWS” as it currently >> terminates TLS. As I keep saying, it’s much better to spend your time >> ensuring end-to-end TLS than end-to-end JWT. >> > > That's not always possible. In some enterprises, they will have an > inspection middlebox that breaks the end-to-end TLS, e.g., ZScaler. > > > And if you use encrypted JWTs to work around that you’ll soon have > inspection middleboxes that break end-to-end JWT. This isn’t a game we can > win by adding more layers of the same solution. > > — Neil > > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
