Accessing Private and Authenticated Feeds - Why it's important
Niall Kennedy blogs about accessing private feeds, but doesn't mention that IE7 and Office 2007 doesn't support it.
HTTP Authentication works with most desktop aggregators but runs into trouble with most online aggregators which rely on a common feed store based on feed and/or link URIs.
He's close. The Common Feed Store in the new Microsoft RSS Platform is an offline store that can't handle authenticated feeds. Since Microsoft is heading towards (headed?) dropping a huge ball here, it'll really depend on Bloglines, My.Yahoo and Live.com to get it right and support secure, authenticated feeds.
Dare posts about Niall's post and has an interesting comment:
"At the end of the day, can Bank of America trust that RSS Bandit or Bloglines is doing a good job of adequately protecting the feed from spyware or malicious hackers?"
Of course they can't, just as BofA can't control that I might use any old HTTP stack to talk to their regular website. Angle brackets over HTTP are what they are. RSS just makes them more regular and a little easier to parse. It's true, a man-in-the-middle attack or trojan that targets offline aggregators would have a field day; but they would with any client and nearly any protocol.
More importantly, even if they certify these applications in some way how can they verify that the applications are the ones accessing the feed? Niall mentions white listing user agents but those are trivial to spoof. With Web-based readers, one can whitelist their IP range but there isn't a good way to verify that the desktop application accessing your web server is really who the user agent string says it is.
I would propose within the context of banking, keying off Dare's comment, that OFX and RSS are arguably the same thing with RSS just being more presentation focused. OFX being pulled into Microsoft Money and Yodlee is no different from RSS being pulled into RSS Bandit or Bloglines.
What's more interesting a question to ask is, how can we integrate CardSpace-style trust - real trust - between a client and server over the wide open Internet while still allowing for the unattended retrieval of data? Multi-factor authentication just isn't possible given the RSS model at any point other than the initial subscription. We'll have to include an InfoCard (read: client-side cert) token within an HTTP POST (or long GET) request for an RSS Feed. That's at least 12-18 months away from adoption by the masses - and that's assuming that VISA gives free InfoCards away to everyone. It'll take someone with the power of VISA or AMEX to become a (free) Security Token Service (STS); adoption by Verisign who will charge us $14.95 will be a non-starter. But this is all future talk.
I say this: IE7 and Office 2007 not supporting Basic or Digest Authentication out of the box for accessing secure feeds will negatively affect adoption of RSS more than any other failing of the spec since its inception. It will slow adoption down at every level; it will make it harder for Financial Institutions to justify it and it will flummox internal Enterprises who don't have completely NTLM/AD infrastructure.