	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: authenticated rss

To: Cory Snavely <csnavely@xxxxxxxxx>
Subject: Re: authenticated rss
From: Mark Allen Earnest <mxe20@xxxxxxx>
Date: Fri, 7 Oct 2005 15:10:00 -0400
Cc: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>
In-reply-to: <4346C2EF.3010009@umich.edu>
References: <4346C2EF.3010009@umich.edu>

I've actually pushed back on this for the reasons you describe. RSS was not designed from the beginning to handle authentication (like the rest of the web) , and few readers can handle anything more than basic-auth, fewer of which will deal with SSL. My suggestion is generally to protect the content, and publish an unprotected RSS feed which reveals just the information that can be public (for example, just time stamp and author, or that plus title) and a link to the protected content. The constant re-authentication would be a pain but fortunately we have a really cool single sign on tool ;)

Lots of people are talking about it, but in the world of RSS they are the minority. It will be some time before enough readers can handle authentication robustly (and by that time they will also be supporting podcasts, videocasts, and effectively be indistinguishable from web browsers) Another issue is that RSS readers in many cases are not desktop applications, but websites that act as aggregators of various feeds which would not be able to deal with this in any immediately obvious way (three tiered credential passing on the web is still very much in it's infancy, but SAML 2.0 shows some promise in this area).

Having said that, Thunderbird (being so closely tied to a browser) seems to deal with protected content the best of what I have tried.

Mark Earnest

On Oct 7, 2005, at 2:48 PM, Cory Snavely wrote:

We're starting to see more applications in the library for RSS, and the topic has come up about authenticating for RSS feeds that carry non-public information.

Obviously we would envision this relating to other authentication strategies, particularly CoSign, but this (RSS) seems really limited by tools at this stage. A few can do HTTP Basic Authentication over SSL. Woo. One nice solution from my perspective would be an RSS reader that can piggyback on browser cookies, but I haven't heard of any such thing.
It's a little like when we were waiting for good cookie support across
the board...oh boy, Netscape 3 (or whatever). Remember that?
Given the state of the technology, we'd be really interested in hearing what other folks doing or thinking about authentication for RSS.
Cory Snavely
UM Library IT Core Services

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- authenticated rss
  - From: Cory Snavely

Prev by Date: RE: authenticated rss
Next by Date: build for 1.9.0
Previous by thread: authenticated rss
Next by thread: RE: authenticated rss
Index(es):
- Date
- Thread