Open saschanaz opened 1 year ago
omz13
commented
10 months ago It is 2023, the world has changed since the web was born: https is cheap, efficient, and ubiquitous, so yes, can we just move to https (and preferably tls 1.2 or better) by shifting the emphasis.
Plus, on iOS, macOS, establishing an insecure http connection is an almost impossible task, which means any clients on those platforms will, sooner rather than later, be forced to https.
darrenmeehan
commented
9 months ago This is something I was surprised by when setting up my own site. As a user it was annoying having to specify the scheme each time. I've read in places that my domain is my identity, but this isn’t the full picture.
As I developer think using http breaks down the trust model of indie auth.
I’d go further than discouraging http, and enforce https. I don't know enough about the ecosystem to know what getting there looks like.
darrenmeehan
commented
9 months ago https://github.com/indieweb/indieauth/issues/103 is a similar issue here which mentions enforcement, but there's more discussion here.
Per https://indieauth.spec.indieweb.org/#client-identifier:
But the spec does not discourage the latter, nor whether the server may reject the latter, and same for
redirect_uri. Should there be some explicit discouragement?