> In fact, if we are going to design browsers that allow the user the
> *option* of following the business card auth scheme, we might as well
> design browsers to allow the user the *option* of sending out the 'From:'
> field, and, if a server really wanted to, it could alter its output based
> on whether or not a From: field exists.
Some browsers do exactly that already. Emacs-w3 and I think one other,
can't remember right now, allow you to selectively turn off the sending of
various parts of the HTTP/1.0 request, including Referer, From, and certain
information about the operating system you are running on in the User-Agent
The HTTP/1.0 specification actually encourages this behaviour (or used
to, haven't read the new spec in about 3 weeks) in its addendum about
security and privacy related issues.