[Mailman-Users] Re: cleartext passwords

J C Lawrence claw at kanga.nu
Mon Oct 2 20:48:13 CEST 2000


On Mon, 2 Oct 2000 11:20:42 -0700 
Chuq Von Rospach <chuqui at plaidworks.com> wrote:

> At 11:11 AM -0700 10/2/00, J C Lawrence wrote:
>> Currently Mailman defaults to making things easy for casual and
>> neophyte users, making Mailman lists easy to approach and use,

> Except I don't think passwords does that. I think passwords work
> in conflict with this.

<slap>

Chauq, you are accused of unrepresentative quoting to make your
point.  <poke in ribs> The compleat sentence for the above was:

  Currently Mailman defaults to making things easy for casual and
  neophyte users, making Mailman lists easy to approach and use, and
  places a small lock on the gate to deter casual attacks.

Admittedly I could have harped a bit more on the line of, "You get
to trade security for eas of use.  You can't get both.  You chose
your sweet spot and then live with it."

That said, I'm not fond of Mailman's current setup.  What I'd
prefer:

  -- List commands generate an email response which contains a
     confirm token (reply to this to make it happen) AND a custom
     URL (got to this page to make it happen).  The user gets to
     choose which he wants.

  -- Web-originated commands (subscribe, unsubscribe, settings etc)
     are exactly the same.  They reply with a confirm message just
     like the above UNLESS they are additionally authenticated with
     a previously established password.

  -- It would be nice if the account/password relastionship were
     abstracted, so tha things like LDAP could be plugged in.  Not a 
     requirement tho.

This of course makes all changes a two step affair (change then
confirm).  To achieve the one step business you can then use the
normal password business as Mailman does it now.

What's this mean?  For 90% of operations no passwords are required,
nothing needs to be remembered or tracked by users, and everybody
sleeps comfortably.  For the odd guy who is on the road away from
his normal accounts or who is facile enough to know exactly what he
wants and how to do it, well, he can remember and use his password.

-- 
J C Lawrence                                 Home: claw at kanga.nu
---------(*)                               Other: coder at kanga.nu
http://www.kanga.nu/~claw/        Keys etc: finger claw at kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--




More information about the Mailman-Users mailing list