On Jun 13, 2014, at 12:11 AM, John R Levine wrote:
When a user at a p=reject signs up for a list, you demand an OAUTH API token if the the provider supports it, otherwise their host system password.
-1 on the password thing. It's too close to phishing, imposes serious privacy issues on Mailman hosts, and makes them targets for attack.
Honestly, Tough Noogies. Let list managers make their own security decisions. AOL and Yahoo want all mail from their users to be authenticated. Well, OK, this will do it.
This is a really bad idea. In MM3, we've already eliminated the need for keeping clear text passwords, and almost gotten rid of any user passwords at all. OAUTH tokens are a little better, but no way do I want to hold a clear text password for users.
-Barry