There's an email chain over on W3C which dates back about 15 years: http://www.w3.org/Protocols/HTTP/Issues/cache-private.html
(1) "Cache-control: private" remains as in Roy's draft, but with a
mention of extensibility explicitly included. Single-user-agent caches
are effectively allowed to ignore this directive.
(2) "Cache-control: no-cache" is defined to mean exactly the same
thing as "Cache-control: private", but with no exception for
user-agent caches.
(3) We add "Cache-control: no-store", which applies to the entire
message and may be sent either in a response or in a request. If sent
in a request, it means "do not store any part of either this request
or any response to it." If sent in a response, it means "do not store
any part of either this response or the request that elicited it."
This applies to both single-user and shared caches. Caches should
obey it but we explicitly caution against depending on it as a privacy
mechanism. Users may explicitly store such responses outside of the
caching system (e.g., with a "Save as" dialog. History buffers may
store such responses as part of their normal operation.
It goes on to say:
The "private" directive indicates that parts of the response message
are intended for a single user and must not be cached except within a
private (non-shared) cache controlled by the user agent.
And most importantly:
Anyway, it seems like the main difference between "private" and
"no-cache" is that "private" allows caching in a user agent's
single-user cache, whereas "no-cache" does not.
So on this basis I'm taking it to mean that non-private caching is disallowed (i.e. at the proxy layer), but private caching is allowed (i.e. within the browser). I know this is simply discussion about a draft spec but it's the best explanation I've been able to find so far.
