Web forms are a convenient way for people to subscribe to newsletters, mailing lists, etc. But forms alone don't ensure that the email address provided in the form belongs to to the person filling out the form.
@@so use a callback... with plenty of entropy in the URI
@@oh... but by the way... don't take the GET on that URI as the confirmation; it should lead to a form where there's one more POST transaction.
(different patterns... ACLs... access orthogonal to identification)