On Jun 13, 2014, at 12:11 AM, John R Levine wrote: >> > When a user at a p=reject signs up for a list, you demand an OAUTH API >> > token if the the provider supports it, otherwise their host system >> > password. >> >> -1 on the password thing. It's too close to phishing, imposes serious >> privacy issues on Mailman hosts, and makes them targets for attack. > >Honestly, Tough Noogies. Let list managers make their own security >decisions. AOL and Yahoo want all mail from their users to be authenticated. >Well, OK, this will do it.
This is a really bad idea. In MM3, we've already eliminated the need for keeping clear text passwords, and almost gotten rid of any user passwords at all. OAUTH tokens are a little better, but no way do I want to hold a clear text password for users. -Barry _______________________________________________ Mailman-Developers mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
