Does cache-control:private without expiration data imply "expire immediately"?

Most content I've observed being served from ASP.NET has only a Cache-Control: private header, with no Last-Modified or Etag header.

I've also observed that browsers never seem to cache this content, evidenced by having never seen browsers issue anything but unconditional GET requests for it.

I'm trying to support the assertion that a resource having Cache-Control:private and no expiration data will be treated by all browsers as "do not cache", but can't find anything in the RFC (http://ww开发者_运维百科w.w3.org/Protocols/rfc2616/rfc2616-sec14.html) to confirm or refute it.

Is my assertion correct? Please cite!

There's an email chain over on W3C which dates back about 15 years: http://www.w3.org/Protocols/HTTP/Issues/cache-private.html

(1) "Cache-control: private" remains as in Roy's draft, but with a mention of extensibility explicitly included. Single-user-agent caches are effectively allowed to ignore this directive.

(2) "Cache-control: no-cache" is defined to mean exactly the same thing as "Cache-control: private", but with no exception for user-agent caches.

(3) We add "Cache-control: no-store", which applies to the entire message and may be sent either in a response or in a request. If sent in a request, it means "do not store any part of either this request or any response to it." If sent in a response, it means "do not store any part of either this response or the request that elicited it." This applies to both single-user and shared caches. Caches should obey it but we explicitly caution against depending on it as a privacy mechanism. Users may explicitly store such responses outside of the caching system (e.g., with a "Save as" dialog. History buffers may store such responses as part of their normal operation.

It goes on to say:

The "private" directive indicates that parts of the response message are intended for a single user and must not be cached except within a private (non-shared) cache controlled by the user agent.

And most importantly:

Anyway, it seems like the main difference between "private" and "no-cache" is that "private" allows caching in a user agent's single-user cache, whereas "no-cache" does not.

So on this basis I'm taking it to mean that non-private caching is disallowed (i.e. at the proxy layer), but private caching is allowed (i.e. within the browser). I know this is simply discussion about a draft spec but it's the best explanation I've been able to find so far.