2010/1/24 John Panzer <[email protected]>: > Ok, but make the subscription request be a Salmon and get the benefit > of verified (user) subscriber identity with a pointer to their > Webfinger info. In many cases this would allow that request to be > auto-handled based on rules (any friend can subscribe).
Agreed, in principle; the actual mechanics of doing so are simple enough that we don't need to pull in the full Salmon stack, or maybe this is something that Salmon could build upon? For example, "From" is a valid HTTP header, and is specified as "the email address of the user making the request"; simply including that in the request means that hubs and feed providers can verify the request as authentic as long as the From address corresponds to a Webfinger account with the hub and/or callback URL (as the case may be) listed as trusted delegates. Any verification semantics (i.e., rules or hand-off to a human) are completely up to the feed provider, which is a nice property of this approach, and mirrors exactly the situation we currently have with social networks, thus fulfilling the "don't invent anything" pseudo-requirement of protocol design. ;-) b.
