Re: ACTION-278 Hiding metadata for security reasons from Jonathan Rees on 2010-02-07 (www-tag@w3.org from February 2010)

From: Jonathan Rees <jar@creativecommons.org>
Date: Sun, 7 Feb 2010 11:18:35 -0500
To: Larry Masinter <masinter@adobe.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>, Tyler Close <tyler.close@gmail.com>, "Mark S. Miller" <erights@google.com>
Message-ID: <760bcb2a1002070818x58eaf349n22fec1138d929bb@mail.gmail.com>

1. The user may not know he/she is subscribed to the list (either
forgot, or was added speculatively), in which case it's unlikely
they'd have kept track of a password
2. Legitimate businesses want to make unsubscription as easy as
possible, to minimize the chance they'll be accused of sending spam.
Thus the password recovery step (and even, I would argue, the
copy/paste step) is unacceptable overhead to them
3. The user may not have the ability to send email from the account
that is subscribed (it may just be a forwarding address)

I'm going to mark my action 'pending review'.

Jonathan

On Sat, Feb 6, 2010 at 11:57 AM, Larry Masinter <masinter@adobe.com> wrote:
> Design 3:
>
>   1. The user is subscribed message to a mailing list.
>      There is a "subscription password"; the user can pick it
>      when subscribing or the system can generate one.
>   2. The list processing software sends an email message to the user,
>      providing advice that the user may unsubscribe from the list, and
>      including a link to an unsubscribe confirmation page; the link
>      also fills in the user name (but not the password).
>   3. The unsubscribe page lets you enter in the password. If
>       you don't remember or never had the password, there is a
>       "send me my password" link, which will email the password
>      to your email address.
>   4. The user follows the link to the confirmation page, and finds a
>      form with an input field requesting the password
>      and a button to "[Confirm] your unsubscription". The
>      form is to be submitted with method="POST".
>   5. The user types in the password from memory or
>      copies the password from the password email message and pastes
>      it into the password field, and activates the [Confirm] form
>      control.
>   6. The list processing software confirms the unsubscription and
>      removes the user from the list.
>
>
> This is the usage pattern in many email lists.
>
> Larry
>
>

Received on Sunday, 7 February 2010 16:19:08 UTC