Comment 2 for bug 1202952

Looks legitimate. A quick check of the code shows that we do not test the format of the revocation list for each of the backends, but merely that the ID in is the same as the revoked ID, which would mask this issue.

The memcached backend already has a serious and public failing in that it is not persisted over reboots. As such, using the memcahced backend for tokens is probably a bad choice.

One solution to both problems would be to have the revocation list always stored in SQL.