Niall Kennedy has a blog post entitled Authenticated and private feeds where he writes
Examples of private feeds intended for 1:1 communication include bank
balances, e-mail notifications, project status, and the latest bids on that big
contract. Data in the wrong hands could be dangerous, and many companies will
stay away from the feed syndication space until they feel their users' personal
data is secure.
A private feed's data could be exposed in a variety of ways. A desktop
aggregator's feed content might be available to other users on the same
computer, either through directory access or desktop search. An online
aggregator might expose a feed and its content in search results or a preview
A feed publisher could whitelist the user-agents it knows comply with its
access policies. SSL encryption
might not be a bad idea either as shared aggregation spaces might not store
content requested over HTTPS. It would place extra load on the server as each
request requires extra processing, but if the alternative is placing your
customer's data in the Yahoo! search index then that's not such a bad thing.
I believe large publishers such as Salesforce.com or eBay would produce more feed content if they
knew their customers' data was kept private and secure. There's a definite
demand for more content transmitted over feed syndication formats but it will
take the cooperation and collaboration of security formats and consistent
aggregation practices to really move the needle in the right direction.
How to properly support private and authenticated feeds is a big problem which Niall highlights but fails to go into much detail on why it is hard. The main problem is that the sites providing the feed have to be sure that the application consuming the feed is secure. At the end of the day, can Bank of America trust that RSS Bandit or Bloglines is doing a good job of adequately protecting the feed from spyware or malicious hackers?
More importantly, even if they certify these applications in some way how can they verify that the applications are the ones accessing the feed? Niall mentions white listing user agents but those are trivial to spoof. With Web-based readers, one can whitelist their IP range but there isn't a good way to verify that the desktop application accessing your web server is really who the user agent string says it is.
This seems to be yet another example of where Web-based software trumps desktop software.