New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal - <podcast:verify> tag #356
Comments
This is a great idea to eventually remove emails from RSS feeds and create another way to claim ownership. <podcast:verify type="[recordType(string)]">[url(string)]</podcast:verify> For instances: <podcast:verify type="TXT">my-awesome-podcast.rss.com</podcast:verify> I imagine TXT would be the main/ only record type that apps & services can check for their specific key-value pairs. TXT records are limited to 255 characters per string, but can have multiple strings per record, essentially grouping all verification values. This adds complexity for hosting companies that are probably more accustomed to dealing with RSS feeds than DNS records. On the other hand, it avoids polluting the RSS feed with a bunch of data that doesn't serve listeners. Alternatively, hosts could get smart about when these tags are/ aren't included but that itself is complex. |
We should keep this as simple as possible so I would exclude any DNS records manipulation (which also would not work at scale). The moment we add friction, we'll slow down or prevent the adoption across the industry.
where the URL referred in the attribute could look like this:
This way the podcast hosting service would just need to change the content of Just thinking out of the box here. Feedback is more than welcome. |
👍, especially the external file idea. Question about lifetime: should be clear what it means when the token is removed for a given service. Does it mean the verification claim is no longer valid? If not, how would one revoke a previously verified claim? |
Yes, this. I agree. The simpler the better. I'm grateful for your work here, Alberto - it's something that is very much needed.
Actually, I didn't propose oAuth. I proposed something that was, in a nutshell... "prove you own the podcast by demonstrating your ability to log into your podcast hosting company and show you own it". There's no new UI components required here really - just the ability to demonstrate your ability to visit a page in your podcast hosting company behind an auth wall, and if successful, to send a token back again proving that. Explicitly, my "token-Auth" proposal allowed, say, Podchaser to The above User-flow for a token-auth service when logged-in to the podcast host:
User-flow for a token-auth service when not logged-in to the podcast host:
User-flow for this service:
It would strike me that a two-button tokenAuth press is markedly simpler for the user than copying/pasting tokens into RSS feeds (and amending core code libraries to fiddle with RSS feeds). I'd add that it offers less support overhead, and will result in significantly fewer abandoned carts. If the issue is "how do we send a token over the internet in a secure way" then I'd hope there's prior art we can learn from here. But I'd suggest keeping clear of the RSS feed aids simplicity here. Is there a way we can clarify the user-flow here? |
@jamescridland thank you for elaborating your However, other factors come into play such as the complexity of implementation, interdependencies and likeliness of adoption. What happens behind the scenes in the
A closer look to [HERE BE DRAGONS 🐉 ]:
The aforementioned flow for the
The technical implementation of the The end-user UX for Last but not least, the On the other hand, adding an extra tag in RSS feeds according to the For all the aforementioned reasons, when balancing between UX, technical complexity and likeliness of adoption, I believe that the My prediction is that:
|
I think we should put this in phase 5 if we can settle on a format in a reasonable amount of time. I think I agree with @albertobeta here that while the oAuth style handshake is a better user experience, the back end complexity is sufficient enough to make it a hurdle for hosting companies to adopt. I think it would be a real shame if a proprietary thing came about. So, we could always formalize both and incorporate a version attribute that tells which method to use. Version 1 could be a token based approach and version 2 could be the full oAuth handshake. Just brainstorming here. |
I had suggested something like a verify/claim tag in February, so I suggest considering some of the responses to that. |
Let's try to reheat this, because it's important. I really, really don't like the idea of telling a customer to copy/paste a token into RSS. We've got to do better than this. How about this user-journey for a customer on Libsyn to claim their podcast on Spotify? The (Libsyn) podcast RSS feed advertises that it supports QuickVerify, and where to send the user.
Spotify sees this code and adjusts its claim process to be...
The link is https://libsyn.com/my-account/verify?token=2y4f2j5&name=Spotify&back=https://spotify.com/continue-claiming (the token, a friendly name for Libsyn's UI, and where the customer should be taken after verification). The user clicks the link(The user might need to log into Libsyn) The user agrees with Libsyn that Spotify can claim this podcast. Libsyn amends the RSS feed for this podcast to read ... and takes the user to the "back" URL to continue the claim process. Spotify refreshes the RSS feed to see if it can see its token in thereif the token is visible, THEN the user has shown that they own the podcast, and the claim is successful. The token is removed after 24 hours or if the user requests another claim from someone else. There is no requirement for this token to be visible longer than that; and no requirement (that I can see) that would require multiple tokens being visible at one time. Essentially, the same as "copy this code into this RSS feed", but we've given Spotify (in this case) both a URI and a friendly name to help this be programmatically added from their UI.
There's no privacy benefit from doing this. But I see the benefit of a fallback. So, instead, how about...
That's not brilliant, but it does mean that most of the time, an RSS feed won't contain any email address in it at all. (If a podcast host doesn't give an authUri in their |
Hi all, I think before moving anything further, maybe we could take another look at #342 which is the same purpose and where I already detailled how this could be implemented easily on hosting providers, in a secure way, without emails, and without requiring to modify feeds for every requests. Thanks ! 😃 |
The comment related to @PofMagicfingers suggestion is at #342 (comment) |
I’m going to write up a placeholder for the verify tag in Phase 6 and link it to this issue. That’ll at least give us a place to start. @PofMagicfingers, your flow in #342 is well described. We could sandbox this on the Podcastindex.org site for a couple of test feeds. All I ask is we avoid oAuth. It’s just overkill IMO. |
Yes that's what my comment and flow proposal is about : mimicking oauth, with reasonable security, without the hassle of oauth : no registered apps, no timed or specific tokens etc, only a pub/priv key system, using well known jwt technology, to authenticate the approval |
@PofMagicfingers I'm converting your proposal from #342 into a standalone doc. I'll link it here and we can use this issue as the main discussion thread for |
I can see pros and cons of adding the authorization framework to either |
When I say "multi-use" I mean it could also serve as the base tag for open subscriptions as well, which this handshake you've described works well for. The consumer would just be a podcast app instead of a platform or service. |
I'm going to "send a pencil with the astronauts" on this one. Why not simply encourage podcasters to put a non-personal email address in the RSS feed? |
I think the short answer would be "because they won't (or don't know how to) do that." Personally, I'm not that bothered by emails being public because let's face it, all of our email addresses have been (and will be) breached/exposed over and over and over again. The horse is out of the barn on that front. The main advantage I see here is it's an easier experience. It all stays in the app (webview) and nobody has to fiddle with emails. |
Thank you for the proposal, @daveajones I think the example of the I'd much rather see this as a different tag. Or - I'd much rather deprecate the |
Same. I agree on those points. If it’s a new tag we just deprecate the lock tag. Nice and easy. |
@PofMagicfingers Do you want to work on this with me? I'd like to build a proof of concept to show it working. I can add the consumer side support podcasterwallet.com if you can add the hosting side support to Podcloud. If you don't want to that's fine. I just thought it might be fun to collaborate. |
@daveajones why not, but I would not be able to look into it before September. I'm pretty busy at the moment 😶 |
Nice! Created a discussion and project for it. I'll go ahead and start building the consumer side and you can do the host side whenever you get time. |
I love the idea of simplifying the verification process and protecting privacy. It's just that we're building a solution than will never fully accomplish that. Until every app supports the new verify method, an email address will always be needed in the RSS feed. Sure, hosting providers could make a temporary toggle for verification purposes, but that seems to be overcomplicating the process for everyone. I just don't see how this tag can actually succeed at its purpose. |
@theDanielJLewis It's regrettable that you feel the need to spend time criticising and posting negativity. Just waving your hands around and suggesting it can't be done so we should all stop wasting our time is deeply unhelpful. My suggestion here is that when a podcast hosting company adds support for the sign-in bit of If that seems sensible to suggest, I'd be happy to add it to the proposal; or perhaps DJL can shoot this idea down as well. |
My apologies, @jamescridland, that's not how I wanted to come across. So let me try communicating it this way: I have these concerns; how can we address them for the best reception and implementation of this good idea? |
@daveajones I'd love to see the simplest version of this implemented, especially with Apple's looming deprecation of For our users, the most user-friendly approach is to give podcasters a "Verification code" field in the UI of their podcast hosting provider: I have Apple Podcasts people who've told me:
If this version existed, Transistor would support it immediately:
Future iterations could include auth URLs, etc., but in the absence of a simple, plain-text field for validation, podcasters are going to have to continue to put codes in |
That verify method is very similar to one of the multiple ways you can verify ownership of a site with some kind of meta tag in the HTML (in addition to DNS). So it's not radically different. |
This is a common sense idea Justin. It solves an immediate need in a clear way and doesn’t impede the tag from expanding to a more robust mechanism in the future as we work out the other part. I’m going to open up phase 6 this week so I’ll put this in there as you’ve written it. |
I'm closing this, since |
Context
The presence of a working email address in podcast RSS feeds has led to an important debate in the podcasting community regarding privacy and possible abuses.
One of the reasons why email addresses are required in podcast RSS feeds is to allow podcasters to claim their show by verifying the ownership through a code or link shared via email. This requirement started with Apple iTunes in late 2000s, which allowed podcasters to submit their podcast directly from within the application via a simple form asking for the RSS feed URL. Claiming a podcast via email quickly became and it still is a de facto standard for most podcast directories and services. While this approach historically made sense as it provided a quick and easy way to share a new podcast with the world, having email addresses publicly displayed in RSS feeds is not aligned with today's privacy-preserving trends and regulations.
@jamescridland raised this very point in a recent conversation and proposed to use oAuth link to display a Claim button and allow podcasters to verify their RSS feed via their podcast hosting service. While this is a valid approach, it presents a certain degree of technical overhead for both the hosting provider and the podcasting apps, that would need to implement and maintain a new oAuth layer and new UI components (e.g. button, modal box / popup). In addition, in the case of suboptimal third-party oAuth implementation and secret storage, this approach could also expose podcasters or companies to cybersecurity threats.
Proposal
At Podcast Movement Evolution 2022 in LA, we had a number informal conversations and unofficial brainstorming sessions with James, Sam, Ben, Ted, and others to address this specific challenge. The best idea that arose from this conversation is a new tag that includes a public verification token and it is used by podcast apps and directories to verify ownership of a given show.
We propose a new tag that we can call
<podcast:verify>
and that can be placed at the<channel>
level.This tag includes a public verification token and it can optionally specify a service (e.g. a hosting platform) as an attribute, according to the following syntax:
e.g.
<podcast:verify service="RSS.com">FB7AaST68NCEqx73</podcast:verify>
The tag can be repeated multiple times for different services.
Here is how an example use case would look like:
<podcast:verify>
tag.<podcast:verify>
tag includes the token originally provided, the RSS feed is successfully claimed!This would allow for RSS feed claim without the need for a public email address and without requiring the implementation of more complex Oauth / SSO solutions. It would effectively constitute the same approach that has been successfully used for decades to verify ownership of domain names using public TXT records.
During our informal conversations at PMEv, it also seemed that Apple had interest in removing the email address from the RSS feeds. This is no surprise since Apple has been a worldwide leader on a number of major privacy initiatives. There is definitely an alignment of intents in the entire industry (except the spammers) to remove public email addresses from RSS feeds. Therefore, the addition of this tag to the podcast namespace could potentially increase its adoption across the industry.
Thoughts?
The text was updated successfully, but these errors were encountered: