Using sha1 in contact info?

["Bill Kearney" <wkearney99@hotmail.com>]

Hi all,

I've been working with RSS feeds for a while now and am troubled by the lack of
contact info in the feeds.  I realize that people want to avoid publicizing
their e-mail address for fear of it being harvested and assaulted by spammers.
I certainly sympathize as I get over a hundred spam messages a day.  (Thankfully
scripted off into oblivion)

But I'm left with the situation where many feeds [1] develop problems and
there's no easy way to reach the author of the feed.  The specs support
webMaster, managingEditor, dc:publisher and dc:creator but few feeds use them
properly, if at all.  So I'm wondering if there's room for using a hash
signature.  The FoaF concept uses them and I'm thinking it might be suitable in
RSS as well.

FoaF's use of a hash is that it's applied only as an 'identifier'.  It's not a
signature and it's not expected to be decoded.  It's an e-mail address that's
been SHA1 encoded using the e-mail address itself as a key.  This is different
than the whole public/private key concept.  In that situaion the hash would be
the result of signing a string with a private key, resulting in a publicly
viewable hash.  Which would only be decodable by having the private key.  I'm
not suggesting we scale up into that whole situation for this purpose.  There's
value to a discussion on signed XML but that's fodder for another thread.

What a hash would do is allow anyone /already/ in possession of your e-mail
address to cross-reference the hash.  When they come across a feed that's got a
hash and if they've already seen your address (it was revealed to them by some
other means) they could match it up and get in touch with you.  You'd be free to
ignore them of course.

A 'someone' that may already have your e-mail address is Syndic8.com.  I'd be
interested in seeing feeds contain a hash that matched up against the e-mail
address given to Syndic8 during account signup.  This is not for the purposes of
spamming.  There's over 1700 feeds in various states of disrepair. [1]   I'd
like a way to more effectively reach the content authors.  Right now if there's
no contact info in the feed it's an extremely tedious manual process to visit
the site and dig around for some kind of web form or e-mail address.   A hash
would make it a lot quicker to cross-reference the feed with a contact and get
things fixed.

By using a hash based on SHA1 and the address itself it's possible to have a
hash that's universally accessible.  I'm not in favor of per-service hashes.
The housekeeping there would probably be more trouble than most folks would care
to tolerate.  That is, I don't favor using a key signed by Syndic8 as it becomes
limited to use only on Syndic8 and decodable only with that key.  We could do
this but it hardly seems like a good idea.  The last thing RSS needs is more
proprietary solutions.

Remember, the hash is created with the address itself.  It can't be decoded
without having the address.  This effectively makes it safe.  Yes, hashes could
theoretically be brute force decoded.  But in all likelihood a spammer isn't
going to expend the effort when your address is doubtlessly discoverable from
other sources.  You're free to use a hash that's generated from a special e-mail
address just to be sure the address is trackable against being pimped out to a
spammer.

To that end I've also made a hash generator [2].  Use it to make you own hashes.

The question then becomes how to stuff that hash into your feed.  I'm open to
suggestions.  I'm not sure how to correctly jam the string into an RSS feed.
Before I got an reinvent a module it seemed like a good idea to open a
discussion on it.

So, thoughts?

Thanks,
Bill Kearney

[1] http://www.syndic8.com/feedlist.php?ShowStatus=AwaitingRepair
[2] http://feeds.archive.org/misc/hash/