W3C home > Mailing lists > Public > public-webid@w3.org > May 2013

Re: Archaic HTTP "From:" Header

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 27 May 2013 13:18:16 +0200
Message-ID: <CAKaEYhLTzaSDWdSU66aJmercZCysmd3qrRZ1p0XmyTnznjUMgA@mail.gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: "public-rww@w3.org" <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
On 3 April 2013 19:18, Kingsley Idehen <kidehen@openlinksw.com> wrote:

> All,
> I think the HTTP "From:" header [1] is now truly archaic circa. 2013. If
> the range of this particular predicate was a URI it would really aid our
> quest for a RWW.
> Suggestion:
> As part of our RWW bootstrap effort, we could consider an "X-From:" header
> that basically takes a URI or Literal value.
> I think we can flesh this out across WebID and RWW via implementations
> before moving up to TAG and IETF.
> Mark: what do you think, anyway ? :-)

After some investigation on this:

Here is the current text, which is slightly different from the RFC


The "From" header field contains an Internet email address for a human user
who controls the requesting user agent. The address ought to be
machine-usable, as defined by "mailbox" in Section

  From <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p2-semantics.html#header.from>
   = mailbox <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p2-semantics.html#header.from>

  mailbox <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p2-semantics.html#header.from>
= <mailbox, defined in [RFC5322]
Section 3.4 <http://tools.ietf.org/html/rfc5322#section-3.4>>

An example is:

  From: webmaster@example.org

The From header field is rarely sent by non-robotic user agents. A user
agent *SHOULD NOT* send a From header field without explicit configuration
by the user, since that might conflict with the user's privacy interests or
their site's security policy.

Robotic user agents *SHOULD* send a valid From header field so that the
person responsible for running the robot can be contacted if problems occur
on servers, such as if the robot is sending excessive, unwanted, or invalid

Servers *SHOULD NOT* use the From header field for access control or
authentication, since most recipients will assume that the field value is
public information.


1. "From" seems to be largely unused according to various sources

2. Some people are already using "From" for http URIs

3. From my informal straw poll more people are in favour of using HTTP URIs
in From than against (roughly 2 to 1), though those against seem to be
strongly against

4. It may be possible to use another header, but that is less intuitive,
and we will need suggestions

5. It was pointed out that, what later became known as "WebID" stuffed an
HTTP URI in the header field.

6. The User-Agent field is used by spiders such as baidu and google to give

IMHO, this is a valuable use case for identifying on the web, without a
dependency on X.509 certs which are (at least perceived as) very hard to
deploy.  If you want strong security use TLS but it need not be mandatory
for more casual usage.  A use case might be to get a casual social web
going eg via the tabulator extenstion
So the question is which header to use for identity on the web ...

> --
> Regards,
> Kingsley Idehen
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/**blog/~kidehen<http://www.openlinksw.com/blog/~kidehen>
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/**112399767740508618350/about<https://plus.google.com/112399767740508618350/about>
> LinkedIn Profile: http://www.linkedin.com/in/**kidehen<http://www.linkedin.com/in/kidehen>
Received on Monday, 27 May 2013 11:18:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:43 UTC