At 05:20 PM 1/7/00 -0800, Russ Allbery wrote:
>The scheme of using their e-mail address and checking against the
>subscriber list reduces to using their e-mail address as a password. It's
>not necessary to join a mailing list to know the e-mail address of one of
>the subscribers
Someone once pointed out to me that forging an email address has
no security risk if it results in the file being sent to the person
whose address was forged... so if you're emailing out the file,
using the list of current subscribers is just fine. If you're
showing it on the web, you'd have to do something like email a
cookie before authorizing viewing for a period of time. Of course
if I know that someone ELSE has been viewing your archives, I can
use their address to view until the cookie expires.
