Jered Floyd writes:
I guess it would be a matter of keeping 2 tokens in the database.
In the case we sign/encrypt a tuple of (list, subscriber, timestamp) we don't need to store anything in the database.
True, but I'm concerned with the computation cost of validation. That shouldn't matter ordinarily, legit unsubscribes will be rare, but it could be a vulnerability to a DOS attack.
Option 1: signed/encrypted tuple (list, subscriber, timestamp) Option 2: UUID referencing a unique subscription in the database
Sounds like you are favoring the 2nd option?
Yes, with explicit timestamp. The concerned party has knowledge of the first two. None of that is anybody else's business. Nerds like me would be pleased to be told the third component, and if expiration times are going to be "several months" as you suggested, I figure they should last as long as the signing key does.
RFC 8058 doesn't specify response codes or really any behavior in response to the POST request. The user never sees this interaction.
Probably not. It's a little surprising that they said almost nothing (except some dark mutterings about hints that the address is valid). Maybe it's not necessary. If the list wants to they can provide a goodbye message, and if it fails the subscriber will get a valid token. :-) I just think it would be kind of rude not to give a response in the case of an expired token, because the subscriber did everything right as far as they can see.
On the other hand, in Postorius we probably want to support a GET interaction against the same URI which provides a page with a button that generates the equivalent POST.
I don't think so. We can already put the list and address in the footer's unsubscribe link.[1] That would likely involve a login interaction.[2] The token alone wouldn't be sufficient credentials, because the footer is extremely likely to leak into public spaces.
Incidentally, I imagine 8058 defines this as a POST interaction to avoid the mail-scanner issue we talked about last message.
Ah, good point. I've worked with John Levine, he's that smart and definitely that WG is that smart.
Ah, to be outside the US, where the concept of consumer protections still exists...
Lina Khan lives!
Footnotes: [1] Of course this would require changing GET processing of the unsubscribe link, it doesn't work that way now. But this should be a separate feature from RFC 8058 processing.
[2] If the user has a Postorius session active, they'll be whisked on through. But most users won't.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan