Re: Proposal: "User" header field from Kingsley Idehen on 2013-07-13 (public-rww@w3.org from July 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sat, 13 Jul 2013 11:52:04 -0400
To: public-rww@w3.org
Message-ID: <51E177A4.7070300@openlinksw.com>

On 7/13/13 10:55 AM, Melvin Carvalho wrote:
> I would be nice to be able to identify a user in HTTP, especially with 
> read/write protocols and access control, it can be important to know 
> who is trying to change something.
>
> There has been some discussion on whether the "From" header can be 
> used to identify a user in HTTP, and my from most people is that this 
> would be a good candidate to send a user, but for historical reasons 
> it's limited to email, and changing this would perhaps get some 
> pushback from the IETF.
>
> The suggestion has been to choose another header, so I thought that 
> "User" might be a good candidate, since we have User Agent arleady.
>
> Here's the proposed text:
>
> [[
>
>
>       User
>
> The User request-header field, if given, SHOULD contain an identifier 
> for the human user who controls the requesting user agent. The address 
> SHOULD be machine-usable, as defined by the "URI General Syntax" RFC 3986
>
>         User   = "User" ":" URI
>
> An example is:
>
>         User:http://www.w3.org/People/Berners-Lee/card#i
>
> This header field MAY be used for logging purposes and as a means for 
> identifying the source of invalid or unwanted requests. It SHOULD NOT 
> be used as an insecure form of access protection. The interpretation 
> of this field is that the request is being performed on behalf of the 
> person given, who accepts responsibility for the method performed. In 
> particular, robot agents SHOULD include this header so that the person 
> responsible for running the robot can be contacted if problems occur 
> on the receiving end.
>
> The client SHOULD NOT send the User header field without the user's 
> approval, as it might conflict with the user's privacy interests or 
> their site's security policy. It is strongly recommended that the user 
> be able to disable, enable, and modify the value of this field at any 
> time prior to a request.
>
> ]]
>
> Feedback welcome!
>

+1

Also note, UserID: might be a little clearer.

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Saturday, 13 July 2013 15:52:29 UTC