[Mailman-Users] Re: cleartext passwords
J C Lawrence
claw at kanga.nu
Mon Oct 2 21:32:18 CEST 2000
On Mon, 2 Oct 2000 12:17:55 -0700
Chuq Von Rospach <chuqui at plaidworks.com> wrote:
> At 11:48 AM -0700 10/2/00, J C Lawrence wrote:
>> -- Web-originated commands (subscribe, unsubscribe, settings etc)
>> are exactly the same. They reply with a confirm message just
>> like the above UNLESS they are additionally authenticated with a
>> previously established password.
> I don't think you need the password here. Mailback validation is
> fine, because it proves ownership (or at least access to) the
> email address. If you're being attacked, and they can read your
> e-mail, being subscribed to a mail list is the LEAST of your
> problems. No sense making the mail list service more secure than
> your e-mail account.
Its purely there so that someone away from their normal accounts can
continue to operate. Look at it this way:
Given the confirm business:
Authentication is two level: you know the subscription address and
you get mail sent to it.
Given a password:
Authentication is two level: you know the subscription address and
the password associated with it.
--
J C Lawrence Home: claw at kanga.nu
---------(*) Other: coder at kanga.nu
http://www.kanga.nu/~claw/ Keys etc: finger claw at kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--
More information about the Mailman-Users
mailing list