See also previous discussion on a Security extension.

This page is to help add the issue of security and privacy to the discussion.

Motivation: The use of blogs and feeds in intranets for private collaboration is relatively new, but several articles have hinted to an increase in use. The strongest plus is that it greatly reduces the amount of email floating around. The second advantage is that project manager working several projects can use desktop readers and/or aggregation to keep project information separate as the developers or others report on status in their blogs. One major concern of this is privacy and security concerns with intranets. Most intranets have cookies, HTTP authentication, encrypted sockets (through SSL or HTTPS), which standard aggregators and desktop readers are commonly unable to deal with. In addition, some journal sites like LiveJournal have the means to keep postings partially "private" (meant for specific people, based on login status), and currently can only handle that strictly in a proprietary means. Such postings end up never thrown into an RSS feed, even to an intended audient, simply because there is no standard way of enforcing that the recipient is anybody in particular, much less the indended audient.

The goal of this topic is to propose that some of that can be handled by the APIs. The current RestEchoApi has a section on HTTP authentication that may prove useful when finished. An idea is that the REST security section could also be used to actually downloading alternate versions of the whole feed as well as allowing authorized users to get/post individual entries as described in. Theoretically, if this leads to an agreed standard for which aspects of current WWW security will be accepted/supported by Echo, it should make it easier for Readers & Aggregators to implement (and make the user interface for the tool easier for the end user).

The current situation, where every feed behind a security wall could be protected from any one of a dozen different mechanims, leads to no tool supporting any of them, and the use of RSS is currently limited to public only data.

Original author: JoeShelby