--On 8 June 2006 12:39:22 +0100 David Lee <t.d.lee@durham.ac.uk> wrote:
The incoming email would carry a header (of first line in body) of something like: Authorised: sender-pw
where "sender-pw" is associated with the (claimed) From-address. This is different from, but complementary to, "Approved: list-pw".
That's neither approval nor authorisation, it's authentication - proving that the person who used the email address also knew the password associated with it. It's far better to insist on authenticated SMTP for ALL message submission.
Given that I'm just about to start on implementing this, it would be nice to establish whether this sender-related word "Authorised" is the appropriate word, or if there is something better.
I've had a look through that thread, and I'm not sure what you're trying to achieve. Generally, there are two aspects to deciding whether someone can post to a list: "authorisation" and "authentication".
Passwords are usually used for both, but it's far better to separate the functions. Knowledge of a personal password serves to authenticate you, but not to authorise you. Knowledge of a shared password is sometimes used for authorisation, but can't be used for authentication. Even for authorisation, passwords are extremely weak.
-- Ian Eiloart IT Services, University of Sussex