Re: Security in HTTP and caches

Henrik Frystyk Nielsen ([email protected])
Thu, 3 Nov 94 12:26:41 +0100


> > (a) the client should always fills in the from field (if nothing else,
> > with "nobody"@current-domain-name).
>
> The great public fiercely disagrees having their email address
> automatically sent -- it's a privacy issue, and I so wouldn't enforce
> the From field.
>
> > (2) Allow servers to use host based authentication based on From address
> > rather than socket-peer address.
>
> >From field is much easier forge than peer address, even a newbie could
> do it.

The From: field is a service field used for: 'if you want to contact me
then use this address'. For this reason it _should_ be very easy to change
but at the same time it should not be used for anything else.

-- cheers --

Henrik