Message-Id: <9501311248.AA14007@tabaqui> From: firstname.lastname@example.org (Stephen R. van den Berg) Date: Tue, 31 Jan 1995 13:48:55 +0100 In-Reply-To: "Roy T. Fielding"'s message as of 1995 Jan 30 Mon 20:13. <email@example.com> To: firstname.lastname@example.org Subject: Re: mailserver URL In principle I'm charmed by the scalability of the approach to allow arbitrary header fields to be specified. But, if people consider this to be too much of a security hazard, why not simply state in the RFC that implementors should initially ignore any header fields except Subject, and that on explicit configuration, some specified headers fields are to be accepted. This way you can have the best of both worlds. I.e. the RFC doesn't forbid the use of extra fields, it just recommends that they are ignored by default. It would allow an implementation to allow some header field to be included if it became popular some time in the future. -- Sincerely, email@example.com Stephen R. van den Berg (AKA BuGless). "Listen very carefully, I shall only say this once."