On 17 Jun 98 at 10:47, Erich L. Markert wrote:

> My $0.02.  Requests for passwords should be sent to either the list owner or the site
> owner.

The confusion here is in the nature of LISTSERV passwords. Passwords
have nothing to do with any particular list. The password is used by
LISTSERV to determine that the email address that a person enters is
really and truly that person's email address.

In your scenario, I could look at your list and find an email address
that I know belongs to someone you trust. Then I request a password
using that person's email address -- you see the confirmation and say
"yeah, that's an ok person, I'll ok his password". Now I can go in
and pretend to be that person and spam your list in his name.

The personal password only authenticates that the person coming in
through the interface is indeed the person that owns that email
address. It is not related to any list -- the password is the same
for that person whatever list they are trying to access. Once the
email address has been authenticated through the password, then the
email address is checked against the list security -- if the email
address is owner, that person can perform owner functions, if the
email address is a subscriber and perform subscriber functions, if
that address has no rights whatever on the list, then having a
password will not do him or her a bit of good.

Francoise