Cote’s Weblog

The most recent Gillmor Gang touched on restricting access to RSS. Basic HTTP authentication can be used to lock out access to fetching the feed. That is, you can tell your web server (which provides the RSS feed to the world) not to allow access to the RSS feed unless the request authenticates with a username and password. If the username and password are incorrect, the user won’t be able to fetch the RSS feed.

Even though support for it isn’t in all aggregators (NewsGator has it, bloglines doesn’t. Though, you could encode the username and password in the URL.), that problem is solved, mas o menos.

Psuedo-DRM for RSS

The point that Steve O’Grady raised was a sort of DRM problem: making sure that once a user (or program) gets their hand on the RSS feed, that it doesn’t get redistributed to unauthorized parties. This is a huge problem, re: RSS security, in systems like bloglines and other “middle-men” of the RSS world.

Here’s the scenario:

• You enter your secret RSS feed into bloglines. (Assuming that feature is available.)
• bloglines goes out and fetches the secret RSS.
• You can read your secret feed in bloglines.
• A different user logs into bloglines and searches for “secret feed,” which finds your secret feed.
• That user subscribes to your secret feed, and then your secret’s out!

Putting it in the Aggregator

Now, bloglines does have the ability to make a feed “private.” I’m not quite sure what that means as I’ve never used it, but I’d hope it mean that other users would never be able to “find” the feed. Maybe not though.

Anyway, by default it’s public. What if you, or someone else you want to access the secret feed, forgets to check off that “private” feature? Then your secret’s out again. Oh no!

Extending RSS

So, that’s the big scenario/problem. RSS being a very open and flexible data format (or de facto standard…I hesitate to call it a standard), we could easily fix this problem by just creating a security namespace, and inserting in a few tags that help describe the security restrictions for the feed. Something like:

<security:visibility>private</security:visibility>

Which would tell aggregations like bloglines “don’t share this with anyone else but the reader who subscribed to it.”

Encrypting Content

Another option would be to support encrypted messages, backed by something like PGP. The RSS’s “post” content would just be a big block of public-key encrypted text. So, when a user tried to read the post, the aggregator software would pop-up a prompt for the password/keys needed to decrypt the post.

I think that feature would be damn cool: then you could post everything publicly, and you’d be able to push down locking and unlocking to the edge (the publishing software and the aggregator), getting closer to a stupid network instead of relying on the network and it’s protocols to protect you. It’d also be good because your data would be protected even if the aggregator sucking in your RSS feed didn’t support this scheme: all the posts are encrypted, so unless your aggregator has support for decrypting them, they’ll be protected.

Good Luck Getting It Done

Of course, technically this is no big deal. The problem is getting the vendors in the blog/syndication/wiki world — Movable Type, blogger, bloglines, Technorati, etc. — to just start doing it.

Too bad I’m not in that world. It sure would be fun ;>

Tags: rss, feeds, security, pgp, crypto, drm.

Tags: crypto, drm, feeds, pgp, rss, security.

Popularity: 1% [?]