John Levine writes:
- Forwarding signature
Thanks, I was about to write something like this!
- Submit and sign
When a user at a p=reject signs up for a list, you demand an OAUTH API token if the the provider supports it, otherwise their host system password.
-1 on the password thing. It's too close to phishing, imposes serious privacy issues on Mailman hosts, and makes them targets for attack. This is too dangerous to be even an optional feature. Third party patches are OK, of course, but stock Mailman shouldn't do this.
I'm fine with annoying the hell out of Yahoo! and AOL users with an OAuth request on every post.
This is less nice, it's a lot of software development.
I don't think prototyping this is all that hard. We already have logic for checking DMARC thanks to dmarc_moderation_action. We just add the OAuth check to that, and if it fails, proceed to dmarc_moderation_action.