On Monday, May 2, 2005, at 05:33 PM, Graham wrote:
These two statements conflict:
It is harder to fake the URI from which a feed is actually read.
as identified in a link element (with rel="self") and the atom:id of the entry.
rel=self doesn't contain where the feed came from, it contains where the feed claims it came from, and since it has no constraints on uniqueness or persistence, but is just as easy to spoof as id, it's an even worse choice.
Huh? I thought it contained a URI from which the feed could be accessed, and that if one were to get the feed from a different URI, the preferred action would be to fetch it from the "self" URI in the future. If an aggregator is subscribed to the "self" URI, then it knows what entries have been there, and can't be deceived by a feed claiming to have an entry from there. You're correct that there's no persistence, but I'd think most feeds are going to have fairly stable addresses. As for uniqueness, how are you going to get multiple feeds from the same URI? Different feeds may CLAIM the same "self" URI, but only one can actually come from there, so spoofs can be easily detected.
(I'm also starting to think that feed ids are a bit of a waste of space, but anyway...)
I agree completely, except for cases recently named where a feed doesn't have a URI (delivered by email, etc).
