> The way I understand it, the Validate= keyword is the first line of
> defense. The PW= keyword is used for non-critical commands.
>
> This makes for totally secure administration, because important
> system functions have to be confirmed to be executed. That means
> that if Joe Hack Guy sends a GET listname (HEADer using a forged
> email account the OK confirmation will go to the account he tried
> to forge....
>
> However, if you're using the web interface and he has your login
> and password then you may be at risk.

You definitely would be at risk if you didn't have the NoPW set in your
Validate keyword setting. NoPW eliminates the use of a PW which renders
the web interface useless to forgers, unfortunately the list owner also :)

--
John Lyon
L-Soft international, Inc.
http://www.lsoft.com