>>>>> "PW" == Patrick Wiseman <lawppw@gsulaw.gsu.edu> writes:
PW> It should possibly be an option -- it should most assuredly not be
PW> required, for the reasons suggested by Mr. Kulawiec -- but if it is an
PW> option, I would hope that email confirmation would still be required
PW> (or that it would be an option for me to require it) because it is
PW> impossible to verify the identity of someone who fills out a web form
PW> unless you already know who they are because you've required a previous
PW> registration, and that gets cumbersome.
It is impossible to verify the identity of someone who sends you a piece of
mail, too. The _only_ thing you can rely on is that the user has the
authentication key. In the case of Majordomo2, the key is a random number
and is essentially unguessable (unlike Majordomo1 keys, which have some
relation to the input data). So it doesn't matter whether the user
validated through email or through the web form; you have exactly the same
level of authentication.
In any case, you can elect not to give out the appropriate URLs in
confirmation messages if you want, which effectively amounts to turning it
off. (I imagine list owners and moderators might still want to use it for
approvals and moderation, so it makes sense to leave the CGI goody
enabled.)
- J<
References:
|
|
