Chuq Von Rospach <[EMAIL PROTECTED]> writes:
> Anyone see a way to fix this? I don't, unfortunately. thanks, Mitch.
> Saves me a buncha work for little real benefit.
It sounds to me like the goal is to restrict access to the archives to
only list members, correct? If that's the case, then that means you have
to authenticate an incoming user as a list member. To do authentication,
you have to have a shared secret between you and the person you're
authenticating, however indirectly. In the absence of personal certs
issued by a trusted authority or something else extremely complicated, in
practice I think this pretty much means either a password equivalent of
some sort or a confirmation handshake (which is essentially a one-time
password leveraged off the security of the person's e-mail account).
The scheme of using their e-mail address and checking against the
subscriber list reduces to using their e-mail address as a password. It's
not necessary to join a mailing list to know the e-mail address of one of
the subscribers; there are other ways of obtaining that information, down
to someone just happening to mention in public that they're on a
particular mailing list and making some guesses about what address they
would be subscribed as.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
