Dear All,
Thanks for all the thoughts and comments - its great to hear from Broadcasters and Service Providers. I'd be very interested to also hear the thoughts of Device Manufacturers, so I'll try and tie up some of the threads here.
I think Andy gave a summary of this: "a simple acknowledgement of the ability the secure the acquisition of EPG over HTTP through one or more undefined security mechanisms in the specification is a good idea."
Its something we haven't discussed previously, and its about defining the 'right place' for this to happen, should it be needed.
As a few people have observed, I think the most obvious use-case here is between a Broadcaster and an Aggregator.
Lets say a Broadcaster already provides an open RadioEPG feed to the world. They then enter into an agreement with a specific Aggregator that states they will add additional information to the feed they provide purely to that Aggregator.
This could be for any number of reasons, and could result in richer metadata, or metadata within a specific namespace for that Aggregator (i.e. something that can't be accommodated by the core namespace). Or, as Walter suggests, returning a different streaming URL based on the Aggregator making the request (e.g. TuneIn, vTuner, etc.).
They would then negotiate an agreement with the Aggregator that results in them being given a key that they would use in any requests for RadioEPG documents.
My proposal is that we put a section in the specification that explains *where this key should go*. I would purposely not go into detail on *how that key is acquired*. I would determine that to be out of scope - as Andy mentions, the ways in which keys may be acquired will change rapidly. Certainly things like CPA and OAuth2 are good suggestions on how clients may acquire a key.
I definitely agree that a Service Provider should be able to decide whether to return a 401 code or a generic RadioEPG document when the authorisation has failed.
Also, for the purposes of these discussions, when HTTP is mentioned this includes the use of HTTPS. Again I would propose we put in the specification that any document requests including keys *must* be in HTTPS. I can't think of a reason why we wouldn't mandate that (discuss).
It would be useful for me to sketch out some further use-cases so we can visualise them, which I will do, starting with the ones Walter and myself have already proposed. If there are any specific ones you can think of, then please let me know.
From what I've heard so far, it sounds like there are no objections in principal to making this kind of change to the specification, albeit with the note that its not something that most Broadcasters would wish to do at this time. Again, let me know if I've not read that correctly.
As always - more views appreciated! I'll try and reply quicker next time.
Ben