Re: From: abuse

"William M. Perry" <wmperry@mango.ucs.indiana.edu>
Errors-To: secret@www0.cern.ch
Date: Wed, 9 Feb 1994 22:16:06 --100
Message-id: <9402092109.AA21728@dxmint.cern.ch>
Errors-To: secret@www0.cern.ch
Reply-To: www-talk@www0.cern.ch
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: "William M. Perry" <wmperry@mango.ucs.indiana.edu>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: From: abuse
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1814
????, then rob mcool, then lou montulli sez>> 
>> So Rob McCool sez to me:
>> > I think we need to change this section to read that From: is to be
>> > used for logging purposes only, and strike the mention of insecure
>> > form of access protection and the section on the person given
>> > accepting responsibility for the method performed. The only access
>> > protection this would provide is applicable in such a limited context
>> > that the information in From: is not useful for more than logging
>> > information anyway.
>> 
>> I agree.  I'm much more interested in clients that can (eventually)
>> encrypt a paassword field in a document and send it to the server for
>> validation than in ever suggesting that the From: field could be used
>> for some sort of access control.  OTOH, I'd just love to have the server
>> log that information - there are a number of cases where we could make
>> use of user name information in our summary stats.

   The encryption is nicely handled now by the emacs browser ad mosaic2.2 +
httpd1.1, I think this should solve most of the security problems (at least
in the USA... %!#@!ing patents/export restrictions on encryption
algorithms... blah).

>While we are on that subject.  I would love to see the Within? field
>logged.  There is some field that is supposed to be the URI of the
>document that contained the requested URI.  If we had that logged then we
>could tell which documents had pointers into our data, and we might be
>able to inform people who maintain these documents when we move/destroy
>our own docs.

   I think you are thinkinf of the 'Referer:' field.  I send this when
possible, but do any others? I think lynx does, but I don't recall seeing
it in a request from Mosaic.  It could be extremely useful in the case of
failed requests.

-Bill P.