[Phillip Porch]
My suggestion is: these sort of things should require the "password=<>" on the same line as the request. If I am a legitimate subscriber, I can punch the HTML button to get my password mailed to me...it's not like I have to keep it on a post and would be an inconvenient imposition to require that parameter as part of the request.
I think it is the way it is to accomidate the different privacy settings.
I'm not sure of the exact context here, but yes, different private_roster settings will give different results for the "who" mail command.
If "private_roster" is set to "List admin only", the "who" mail command will tell you "Private list: No one may see subscription list."
If set to "List members", it wil tell you "Private list: only members may see list of subscribers." unless the request sender address is a list member. This is the same algorithm that is used for deciding whether or not the "password" command with no arguments should mail back the member password or not -- so requiring a password to the "who" command in this case would just mean extra hassle, and not extra security.
If set to "Anyone", the roster will be mailed back without forther checking.
In all cases only non-hidden member addresses are included in the roster.
This all mimics the information available via the web interface closely.
Does that answer the questions you have?
Harald