[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [syndication] Using sha1 in contact info?

To: <syndication@yahoogroups.com>, "'rss-dev'" <rss-dev@yahoogroups.com>, "'syndic8'" <syndic8@yahoogroups.com>
Subject: RE: [syndication] Using sha1 in contact info?
From: "Mark Nottingham" <mnot@mnot.net>
Date: Thu, 21 Nov 2002 23:50:44 -0800
Importance: Normal
In-reply-to: <OE52zhad2VqKwRPQIWD00001e45@hotmail.com>

The thing that strikes me about this is that it reinforces relationships
that you have, while blocking new people from the community; i.e., if
you already have someone's address, you can communicate to the re: their
feeds; if not, you're SOL.

So basically, this requires some sort of prior knowledge for
communication to take place. That's not such a bad idea for controlling
spam in general [1], but because feeds are generally public information,
I fear that this may devolve into the have's vs. the have-not's; people
'in the circle' talk about and improve their feeds, but if you're not in
the know, you're frozen out.

Or maybe my fears are overblown; maybe the use cases for this are really
just administrative, and this won't be an issue. It should be
considered, though, which is why I bring it up.

Other than that, really nifty idea.

Cheers,

1. http://www.w3.org/2001/12/rubyrdf/util/foafwhite/intro.html




> -----Original Message-----
> From: Bill Kearney [mailto:wkearney99@hotmail.com] 
> Sent: Thursday, November 21, 2002 2:16 PM
> To: syndication; rss-dev; syndic8
> Subject: [syndication] Using sha1 in contact info?
> 
> 
> Hi all,
> 
> I've been working with RSS feeds for a while now and am 
> troubled by the lack of contact info in the feeds.  I realize 
> that people want to avoid publicizing their e-mail address 
> for fear of it being harvested and assaulted by spammers. I 
> certainly sympathize as I get over a hundred spam messages a 
> day.  (Thankfully scripted off into oblivion)
> 
> But I'm left with the situation where many feeds [1] develop 
> problems and there's no easy way to reach the author of the 
> feed.  The specs support webMaster, managingEditor, 
> dc:publisher and dc:creator but few feeds use them properly, 
> if at all.  So I'm wondering if there's room for using a hash 
> signature.  The FoaF concept uses them and I'm thinking it 
> might be suitable in RSS as well.
> 
> FoaF's use of a hash is that it's applied only as an 
> 'identifier'.  It's not a signature and it's not expected to 
> be decoded.  It's an e-mail address that's been SHA1 encoded 
> using the e-mail address itself as a key.  This is different 
> than the whole public/private key concept.  In that situaion 
> the hash would be the result of signing a string with a 
> private key, resulting in a publicly viewable hash.  Which 
> would only be decodable by having the private key.  I'm not 
> suggesting we scale up into that whole situation for this 
> purpose.  There's value to a discussion on signed XML but 
> that's fodder for another thread.
> 
> What a hash would do is allow anyone /already/ in possession 
> of your e-mail address to cross-reference the hash.  When 
> they come across a feed that's got a hash and if they've 
> already seen your address (it was revealed to them by some 
> other means) they could match it up and get in touch with 
> you.  You'd be free to ignore them of course.
> 
> A 'someone' that may already have your e-mail address is 
> Syndic8.com.  I'd be interested in seeing feeds contain a 
> hash that matched up against the e-mail address given to 
> Syndic8 during account signup.  This is not for the purposes of
> spamming.  There's over 1700 feeds in various states of 
> disrepair. [1]   I'd
> like a way to more effectively reach the content authors.  
> Right now if there's no contact info in the feed it's an 
> extremely tedious manual process to visit
> the site and dig around for some kind of web form or e-mail 
> address.   A hash
> would make it a lot quicker to cross-reference the feed with 
> a contact and get things fixed.
> 
> By using a hash based on SHA1 and the address itself it's 
> possible to have a hash that's universally accessible.  I'm 
> not in favor of per-service hashes. The housekeeping there 
> would probably be more trouble than most folks would care to 
> tolerate.  That is, I don't favor using a key signed by 
> Syndic8 as it becomes limited to use only on Syndic8 and 
> decodable only with that key.  We could do this but it hardly 
> seems like a good idea.  The last thing RSS needs is more 
> proprietary solutions.
> 
> Remember, the hash is created with the address itself.  It 
> can't be decoded without having the address.  This 
> effectively makes it safe.  Yes, hashes could theoretically 
> be brute force decoded.  But in all likelihood a spammer 
> isn't going to expend the effort when your address is 
> doubtlessly discoverable from other sources.  You're free to 
> use a hash that's generated from a special e-mail address 
> just to be sure the address is trackable against being pimped 
> out to a spammer.
> 
> To that end I've also made a hash generator [2].  Use it to 
> make you own hashes.
> 
> The question then becomes how to stuff that hash into your 
> feed.  I'm open to suggestions.  I'm not sure how to 
> correctly jam the string into an RSS feed. Before I got an 
> reinvent a module it seemed like a good idea to open a 
> discussion on it.
> 
> So, thoughts?
> 
> Thanks,
> Bill Kearney
> 
> [1] http://www.syndic8.com/feedlist.php?ShowStatus=AwaitingRepair
> [2] http://feeds.archive.org/misc/hash/
> 
>  
> 
> Your use of Yahoo! Groups is subject to 
> http://docs.yahoo.com/info/terms/ 
> 
>

References:
- Using sha1 in contact info?
  - From: "Bill Kearney" <wkearney99@hotmail.com>

Prev by Date: Using sha1 in contact info?
Next by Date: FYI: Formats for Blog Browsers
Previous by thread: Using sha1 in contact info?
Next by thread: FYI: Formats for Blog Browsers
Index(es):
- Date
- Thread