>Ah. That may suggest the disconnect we are having lies >somewhere other than in what I assumed. This document appears >to have been written for Standards Track and the Last Call is >for publishing it as a Proposed Standard. That implies at least >a plausible assumption or realistic hope that it will be >implemented and deployed by multiple independent parties. For >that purpose, it just isn't complete and doesn't contain enough >information, with that issue about hashes as one example, >perhaps among many. We already have two implementations in progress, at Gmail and AOL, and as Tobias said, this got enough attention at MAAWG that I think it's likely that other webmail providers will do it, too, as will a lot of ESPs (bulk mail providers.) I agree that it could use some more hints about unique URLs to avoid forgery. I don't know where if anywhere this would go in the draft, but the ESPs that are likely to implement this have rather different concerns from discussion lists like this one. They want the subscribers to get the mail, but they are much more concerned about minimizing complaints for fear of their mail going somewhere other than recipients' inboxes. If you make the unsub process complex, a fair number of people will figure (correctly for them) that it's easier just to report it all as spam until it goes away. So given a tradeoff between defending against fake unsubscribes versus making it easy for people to mail the mail stop, they'll pick the latter. I doubt this will ever make it into Mailman, but that's OK. The reason we're having this discussion is that Gmail noticed that people used the spam button to unsubscribe, so they added an option to the spam button to unsubscribe at the same time, and for that to work they need to do it without further interaction. It'd also be useful to automatically unsub from mail to closed or abandoned mailboxes. R's, John