Re: Security in HTTP and caches

Henrik Frystyk Nielsen (frystyk@ptsun00.cern.ch)
Thu, 3 Nov 1994 13:08:53 +0100

> > (a) the client should always fills in the from field (if nothing else,
> > with "nobody"@current-domain-name).
>
> The great public fiercely disagrees having their email address
> automatically sent -- it's a privacy issue, and I so wouldn't enforce
> the From field.
>
> > (2) Allow servers to use host based authentication based on From address
> > rather than socket-peer address.
>
> >From field is much easier forge than peer address, even a newbie could
> do it.

The From: field is a service field used for: 'if you want to contact me
then use this address'. For this reason it _should_ be very easy to change
but at the same time it should not be used for anything else.

-- cheers --

Henrik