💾 Archived View for rawtext.club › ~sloum › geminilist › 001764.gmi captured on 2020-10-31 at 02:30:14. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Wed Jun 17 13:29:37 BST 2020
- - - - - - - - - - - - - - - - - - -
On Wed, Jun 17, 2020 at 08:01:23AM -0400, Jason McBrayer wrote:
What if, as you suggest, non-idempotent requests are required to use
certificates, and further, that general-purpose clients are required to
make cross-site requests *without a client certificate*, even if they
have a certificate for the target in their store?
Yes, that would definitely be possible (AV-98 almost does this, but itexplicitly asks you if you want to reactivate a previously usedcertificate when you cross back to a domain). I didn't mean to say thatI think it's impossible to build a general purpose client that'soptimised for reading static text but also certificate aware enough touse apps, and to do so in a careful way that avoids CSRF attacks oraccidental "leakage" of identities. I don't doubt it can be done! Andpeople are genuinely welcome to try. It just seemed to me that a clientlike that is going to be at the very least more fiddly work fordevelopers to write and test, and perhaps also a bit more confusing forusers to use, compared to either a client which just has no concept ofclient certificates, or one which does but is bound to a single domain.Two simple programs which each do one thing and do it well will besimpler and safer, and it plays well to one of our core strengths, whichis that usable clients can be extremely lightweight so running one perapp is very feasible.
Cheers,Solderpunk