While there are several layers of security for list subscription
maintenance and web access, there seems to be only weak e-mail address
authorization for archive access.

   We host one list which is limited to registered users of some specific
licensed software.  They would like to be sure they limit access to the
list and archives.  They have suggested use of a pin or password.

   It seems there are several ways to control subscriptions. "By_Owner" is
the simplest but there appear to be some exit points which may be used.
Controlling access to the archives seems more of a problem.

   We can make the archives private but the only way I can see to
protect the archives from a forged e-mail address is to collect no
archives at all.  Ironically, access to the archives from the web is more
secure than through e-mail.  As far as I can tell there is no way to
restrict the  GET xxxx.LOGxxxx, GETPOST, SEARCH, or INDEX commands other
than by the e-mail address of the requester.

   Are there other options?  One way to do this might be to limit access
to ONLY the web, require a personal password on the e-mail archives
commands, or allow confirmation of the archives commands using a magic
cookie - similar to what Validate= Yes,Confirm does for subscription
information commands.

   Marty