It talks about *single* users. The problems we are facing here are *groups* of users. So the cache is a shared cache for this group of users in this case.
The problem is that without Cache-Control: private, any downstream cache would have the exact same problem. There's no way for it to know that the response differs based on IPs unless the Origin says so. -- justin
