Should URL Canonicalization specify a default scheme?

[Zegnat]

Mostly wondering if there is any reason that URL Canonicalization reads:

[…] the client MUST turn that into a valid URL before beginning the IndieAuth flow, by prepending a scheme and appending the path /. For example, if the user enters example.com, the client transforms it into http://example.com/ before beginning discovery.

This talks about “a scheme” and gives the example where http is added as scheme. Should it be specified to always use http? Or is it OK for clients to default to https, which may not be supported by the server at all and result in an immediate failure?

As this is part of a “MUST” block, maybe the spec should be specific to make sure different clients do not handle this case differently?

[aaronpk]

It seems like defaulting to http or https is a decision that the client should make depending on its own security requirements. If a client wants to default to https to provide higher security, then it should be allowed to, as long as it provides appropriate error messages when that fails. However if clients want to support a wider number of users, then they can default to http (which may just be an immediate redirect to https like my website does). I didn't see a reason to put a restriction on the default assumed scheme since clients can handle both cases gracefully.

[Zegnat]

After consideration, I agree that it can be left up to the implementation to support http or force https. I wonder if we need to explicitly say “by prepending either an http or https scheme”, or if the mention that “IndieAuth uses https/http” in the first paragraph is enough.

[aaronpk]

Thanks! I like the suggestion of mentioning both http and https explicitly. I've gone ahead with that change!