Hey Monica,

Thanks a lot for the response and my apologies for taking so long to
get back to you.

On Thu, Oct 7, 2010 at 11:24 AM, Monica Keller <[email protected]> wrote:
> Concerns for Option1 here
> -Putting burden on subscribers to handle the different HTTP methods (DELETE,
> PUT) -- Not a huge concern

Indeed, and the method stuff may just be in the X-HTTP-Method-Override
header anyways.

> Would we know be asking all subscribers to have SSL certs ? That is a fairly
> big requirement.
>
> OAuth 2 burdens the service providers with this so I have concers about
> burdening the subscribers with it.

Yes I agree that's an issue. My hope was there is a way to have Hubs
cache SSL cert fingerprints, so even a self-signed cert could be added
to the certificate chain if it was the same one that was originally
used to establish the subscription.

> My other question would be whether  web hooks is a better fit today for APIs
> since there really isn't a need for a hub to fan out.
>
> As much as I love PubSubHubbub I think we should answer the question of how
> many service providers would want to push their response to another hub.
> MySpace and FB didn't really need an external hub. At Socialcast its the
> same thing we are going to add PuSH but its a private response for which you
> need to authenticate
>
> My experience leads me to believe there is a serious need to support a
> publisher who is its own hub.

Well I totally agree with you that the common case is becoming people
running their own hub. The old light-pings are mostly there for
bootstrapping and boosting adoption. However, even if you run your own
hub, how do you achieve "a private response for which you need to
authenticate"? What is Socialcast using for authentication from your
self-run hub to the subscriber?

X-Hub-Signature works well enough for payload-only messages, but what
about messages that have headers, like arbitrary content? I don't
think that running your own hub alleviates that problem, which is why
I'm looking for a general solution that all providers can employ. Does
that make sense?

-Brett

Reply via email to