Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Action aggregators and the proxy problem

There's lots of talk right now about aggregating action streams to provide a single stream of "what are my friends doing?". You can see this on Facebook's news feed and on Plaxo Pulse. The current state of the art on this is simply aggregating the content in a bunch of public RSS or Atom feeds, but there's clear interest in being able to aggregate non-public content: if the owner allows me to see it on the originating site, why can't I see it in my friend stream?

A solution that's been banded around for this is to use OAuth to fetch the RSS or Atom feeds, thus allowing the content owner to give the aggregating site (e.g. Plaxo Pulse) the ability to see the non-public items. The problem with this approach is that we're asking the wrong user; I want to view an aggregated version of all of the things that my friends would like me to be able to see on the web, but for this purpose a web-based aggregator like Plaxo Pulse doesn't work because while I have permission to view my friend's private blog on Vox, Plaxo does not. My friend is not a Plaxo user, nor does she have any business or trust relationship with Plaxo, and nor should she have to.

My gut feeling on this is that aggregators must therefore be implemented at least partially client-side, in a client that I control on a computer that I control. This simplifies things considerably: now I can authenticate to my friend's RSS and Atom feeds directly. You can imagine middle-road alternatives where the web-based aggregator just recieves encrypted, opaque blobs that can be decrypted client-side using a keypair that was set up separately, but I think that's still more than we can expect from today's browsers, and would be difficult to explain to users.

I think the most important thing to remember is that "just use OAuth" is not the answer to this problem. We've still got plenty of work to do.


  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.