Well, the first-ever release of a major public company’s financials via the Web, in advance of the conventional newswire service, is history. It went OK, but we can do better. Obviously, these discussions have been going on for a while, and observant readers may have noticed I visited Washington last March. However, the go-ahead to do the numbers on the Web came very recently, and so the mechanism was an ordinary RSS feed. We should publish this in Atom, and do it over a TLS channel, and supply a digital signature. Stand by for next quarter.
You’d be surprised how much work it is to set up for this kind of a high-volume public Web event. When I went to the sun.com people last week and said “Oh, and you’ll be switching over to TLS and Atom in the three working days left, right?” they laughed at me. Today, I noticed that while the RSS feed was updated spot on the top of the hour, it took a few minutes for the actual earnings release to trickle through the various levels of cache. There’s a first time for everything, that’ll get cleaned up.
Why TLS? ·
For the non-geeks, this means that the feed URI will start with
https:, it’ll be a secure channel. This just has to happen,
because otherwise there’s a potential gold mine for a smart bad guy.
What the smart bad guy does is figure out how to (temporarily, locally)
the DNS, say in a few key Manhattan offices, during trading hours.
He sets up a fake
sun.com and puts a fake news release in the
feed claiming that we’re the subject of a major SEC investigation, having
first shorted a few million shares. Ouch!
Why Digital Signature? · This idea was first proposed by James Snell, and it’s a good one. Mind you, the benefits are a little bit theoretical, since no feed-reading clients that I’ve seen actually check a digital signature. The argument for this is similar to that for TLS; a bad guy who could somehow insert a fake press release into the feed could make zillions by gaming the share price. A verifiable digital signature would let someone reading the feed know that the news in it really truly did come from Sun.
My hope is that if we and a few others start using signatures, the people who write clients will start checking them. This is the Internet, and we’re playing with real money and shooting live ammunition; gotta be careful.