#capjamesg[d]Thanks GWG! It is indeed. A few people suggested I add OpenSearch to the IndieWeb engine so I did. But I sort of wish there was more documentation around it.
#[fluffy]This X1 to X3 change seems to have caught a lot of the Internet by surprise. I'm lucky that all that broke for me was the cert chain on my dovecot server (which was because I was accidentally using `cert.pem` instead of `fullchain.pem`).
#[fluffy]Which, incidentally, seems to be the correct fix for a lot of servers, just making sure you're using the full chain instead of the single cert.
#[fluffy]and also doing a forced renewal if necessary
#aaronpkmy problem is on the client side not the server side
#benatkinIf an IndieAuth client for something needing high security required the Authorization Endpoint Link to be in the header rather than HTML, would it still be considered an IndieAuth client? How about if a <link> was in the head? Maybe show a warning instead? HTML is more often user editable than headers
#capjamesg[d]Can etag HTTP headers be used to check if content is the same on more than just RSS feeds?
#[snarfed]different failure modes. they can overlap, but neither is a superset of the other. eg for some people, down/broken is preferable to compromised
#[snarfed]regardless, agreed! like any feature, security adds complexity, maintenance burden, etc. we can have both security and maintainability, it just takes work
#[snarfed](not a great framing, security isn't really a feature, but no matter)
#[snarfed]tantek++ for consistently raising awareness that security and privacy aren't free and have costs!
#Loqitantek has 20 karma in this channel over the last year (60 in all channels)
#[tantek]1rather, my point is more of a behavioral one, that unmaintainable security is in practice no security at all, because users care more about things mostly working and somewhat secure than about having things barely/rarely working and very secure
#[tantek]1common users that is. obv there are large sets of users that very much want failure instead of security compromise
#[snarfed]both points are good, security has to be usable/maintainable, and it's a spectrum, adding _some_ security (for some cost) can be worthwhile even if it's imperfect
#[tantek]1totally. big believer in defense in depth π
#[tantek]1(aside, no karma while Loqi subject to aforementioned breakage in functionality due to no fault to Loqi in particular)