I was pulled away on other work for most of the day, but I think I've caught up with the whole thread.
On the micro-issue of what Mailman's ttw confirmation should do, I am much more swayed by Thomas's observation that we can actually add useful value by providing a form that allows the user to confirm or discard his request. Given that I agree with everything Chuq et al have said about the inherent insecurity of GET, that seemed to me a more persuasive argument as it pertains narrowly to Mailman.
Unless someone wants to volunteer to do usability studies (for which I don't have the time), I propose to change confirm.py to POST a form, and to pull in the ability to cancel held postings and subscription requests. Good idea Thomas.
But I definitely appreciate the discussions Gerald initiated, and I'm glad he did that. Hopefully, Gerald can bring the very valid concerns raised here before the W3C and the standards authors. I think they're vitally important to where the web is going. The security and privacy of the web has such a deservedly poor reputation, what with JavaScript and Java vulnerabilities (and the increasing number of sites that are simply unnavigatable without them), client-side trojans, web bugs, hijacked ActiveX certificates etc. etc. I really wish browser vendors would err on the side of security and privacy than on convenience. Sucker the user in enough times, or sucker enough of them in and the web will not be able to recover.
-Barry