CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: authenticated rss

I've actually pushed back on this for the reasons you describe. RSS was not designed from the beginning to handle authentication (like the rest of the web) , and few readers can handle anything more than basic-auth, fewer of which will deal with SSL.
My suggestion is generally to protect the content, and publish an unprotected RSS feed which reveals just the information that can be public (for example, just time stamp and author, or that plus title) and a link to the protected content. The constant re-authentication would be a pain but fortunately we have a really cool single sign on tool ;)

Lots of people are talking about it, but in the world of RSS they are the minority. It will be some time before enough readers can handle authentication robustly (and by that time they will also be supporting podcasts, videocasts, and effectively be indistinguishable from web browsers) Another issue is that RSS readers in many cases are not desktop applications, but websites that act as aggregators of various feeds which would not be able to deal with this in any immediately obvious way (three tiered credential passing on the web is still very much in it's infancy, but SAML 2.0 shows some promise in this area).

Having said that, Thunderbird (being so closely tied to a browser) seems to deal with protected content the best of what I have tried.

Mark Earnest

On Oct 7, 2005, at 2:48 PM, Cory Snavely wrote:

We're starting to see more applications in the library for RSS, and the
topic has come up about authenticating for RSS feeds that carry
non-public information.

Obviously we would envision this relating to other authentication
strategies, particularly CoSign, but this (RSS) seems really limited by
tools at this stage. A few can do HTTP Basic Authentication over SSL.
Woo. One nice solution from my perspective would be an RSS reader that
can piggyback on browser cookies, but I haven't heard of any such thing.

It's a little like when we were waiting for good cookie support across
the board...oh boy, Netscape 3 (or whatever). Remember that?

Given the state of the technology, we'd be really interested in hearing
what other folks doing or thinking about authentication for RSS.

Cory Snavely
UM Library IT Core Services

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010