💾 Archived View for rawtext.club › ~sloum › geminilist › 006924.gmi captured on 2024-02-05 at 10:54:31. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

Malicious Links

mbays mbays at sdf.org

Thu Jul 15 21:58:12 BST 2021

- - - - - - - - - - - - - - - - - - - 
"Before following a URI which is in scope of a client certificate from
a page (or via a redirect) outside of that scope, clients MUST display
the target URI and what client certificate will be used to connect to
it."

Better. But I think "display" is still assuming too much about the client. What about audio-only clients? We could make it "present", but still we may find that it's too restrictive... what if a client wants to present only a shortened form of the URI, say without the scheme? Do we really want to say that it's in contravention of the spec? And so on.

Really, I don't think this kind of prescriptive text for the details of how clients should operate belongs in the spec at all.

Perhaps it would make more sense to add some general discussion about this issue, either to the spec or to best-practices.gmi, saying that clients should ensure that a client certificate is used only when it's clear that the user intends it to be, and pointing out these cases where it might not be clear (links and redirects into the scope of a certificate). Then let client authors decide how to implement this in whatever way makes most sense for their particular clients.-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 195 bytesDesc: not availableURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210715/761ba7a3/attachment.sig>