cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: authenticated rss
I've actually pushed back on this for the reasons you describe. RSS
was not designed from the beginning to handle authentication (like
the rest of the web) , and few readers can handle anything more than
basic-auth, fewer of which will deal with SSL.
My suggestion is generally to protect the content, and publish an
unprotected RSS feed which reveals just the information that can be
public (for example, just time stamp and author, or that plus title)
and a link to the protected content. The constant re-authentication
would be a pain but fortunately we have a really cool single sign on
Lots of people are talking about it, but in the world of RSS they are
the minority. It will be some time before enough readers can handle
authentication robustly (and by that time they will also be
supporting podcasts, videocasts, and effectively be indistinguishable
from web browsers) Another issue is that RSS readers in many cases
are not desktop applications, but websites that act as aggregators of
various feeds which would not be able to deal with this in any
immediately obvious way (three tiered credential passing on the web
is still very much in it's infancy, but SAML 2.0 shows some promise
in this area).
Having said that, Thunderbird (being so closely tied to a browser)
seems to deal with protected content the best of what I have tried.
On Oct 7, 2005, at 2:48 PM, Cory Snavely wrote:
We're starting to see more applications in the library for RSS, and
topic has come up about authenticating for RSS feeds that carry
Obviously we would envision this relating to other authentication
strategies, particularly CoSign, but this (RSS) seems really
tools at this stage. A few can do HTTP Basic Authentication over SSL.
Woo. One nice solution from my perspective would be an RSS reader that
can piggyback on browser cookies, but I haven't heard of any such
It's a little like when we were waiting for good cookie support across
the board...oh boy, Netscape 3 (or whatever). Remember that?
Given the state of the technology, we'd be really interested in
what other folks doing or thinking about authentication for RSS.
UM Library IT Core Services
Description: S/MIME cryptographic signature