OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Preventing Caching

Thanks, this is very helpful. Note though that it mainly deals with proxy
caches or shared cached, and we are also somewhat concerned about client
caches, which are quite different.

> Naturally it is intended to deal primarily with the most 
> common case of Browser to Server HTML content using HTTP GET Req/Resp.
> 1. Note that only responses are cached.
> 2. SSL/TLS traffic is not cached.

Client caches will indeed cache SSL pages if told to.

> 3. Traffic with auth headers or cookies are usually not cached.
> 4. Post responses are not cached.

Likewise, this isn't true of browsers.

> For these reasons, a SOAP message sent over HTTP with a POST 
> method is unlikely to be cached even if no special steps are 
> taken to supress caching. Obviously a SAML Assertion carried 
> in a POST message will never be cached.

Not one sent to a server, but the assertion sent to the browser during SSO
can be, so that's the consideration we also have to take into account in the
non-SOAP bindings.

> On the principle of using belt and suspenders, SAML nodes 
> SHOULD do the following:

I'll incorporate this information into the bindings, thanks again.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]