> I've reached the conclusion that "private" RSS feeds that require
> authentication is a bad idea.

I disagree.

> The problem is that RSS is frequently
> consumed by spiders, robots and other automated apps and then
> re-purposed.

Automated apps wouldn't have the auth keys. Thus the feed would never get
seen by them.

> This re-purposing often results in the items then appearing
> in a public feed with no authentication. So even though you serve up the
> feed securely you really have no idea what happens to it later. An
> example of this was a feed that was dropped into Newsgator by a user. it
> later turned up in Newsgator's public search. This is not a refelection
> on Newsgator necessarily and I know they do try and keep HTTP-Auth
> protected feeds out of their public database.

The existance of the RSS feed URL can't be assumed to stay private. That
something else might possess the URL doesn't compromise the contents.

> In theory this should be no different from HTTP-AUTH protected web
> pages. But in practice the RSS community is much less careful about
> respecting privacy than the relatively smaller community of people that
> write automated apps to access html pages.

I don't think this is any different than any other computer program.
E-mail, for example, does nothing to prevent simple forwarding, let along
cut/paste. Nor do web pages. Feeds aren't any more or less 'respecting' in
this regard.

> The point here is that if we write aggregators we should try to be
> careful about respecting feeds that should be private. In practice, this
> can be hard. And as a feed provider you shouldn't assume that your
> private feed will stay private.

If it's behind an http auth you've reason to assume that unless the user
also republishes their username/password combo it'll remain safe for the
first pass.

> Which is all a long winded way of saying that if you want a feed from a
> Yahoogroup, then make the group open. What is the group owner trying to
> hide anyway?

I likewise disagree on this point. It's tragically disappointing that yahoo
has not come to grips with this problem. That they cannot offer their list
members the option of using RSS for their lists shows they really don't get
RSS.

-Bill Kearney