Re: Security in HTTP and caches

Henrik Frystyk Nielsen (
Thu, 3 Nov 1994 13:08:53 +0100

> > (a) the client should always fills in the from field (if nothing else,
> > with "nobody"@current-domain-name).
> The great public fiercely disagrees having their email address
> automatically sent -- it's a privacy issue, and I so wouldn't enforce
> the From field.
> > (2) Allow servers to use host based authentication based on From address
> > rather than socket-peer address.
> >From field is much easier forge than peer address, even a newbie could
> do it.

The From: field is a service field used for: 'if you want to contact me
then use this address'. For this reason it _should_ be very easy to change
but at the same time it should not be used for anything else.

-- cheers --