authority's userinfo?

[solderpunk]

On Wed, Jun 10, 2020 at 01:15:33PM +0200, Felix Queißner wrote:
> 
> If your server handles user@ in a different way than without authority,
> i think that's totally in-spec, but authentication is probably not.
> 
> One possible usage for authority could be home-dirs instead of an
> official site:
> 
> Instead of using
> => gemini://random-projects.net/~felix/
> one could also access the directory via
> => gemini://felix@random-projects.net/

Hmm.  But RFC3985 says "The userinfo subcomponent may consist of a user
name and, optionally, scheme-specific information about how to gain
authorization to access the resource".  I think using even just a
username without a password for non-auth purposes is, at the very least,
against the spirit of the spec.

There are practical difficulties, too.  If servers used the username to
select a user directory, instead of the traditional tilde URL, then for
people to be able to meaningfully copy and paste links from their
client's UI, said UI would need to render the userinfo component.
That's going to be very dangerous if some other servers are using it for
actual authentication.

Putting credentials into URLs in general seems like playing with fire to
me.  Client certificates are much safer in this regard, and more useful.
The documentation for an app can say "To change your profile details, go
to gemini://fancyapp.com/edit/profile" and if I'm "logged in" via an
active cert I can follow that link and it will work.  Or I can paste the
URL at which I get an error to the developer to help them debug, and
they don't have to know my identity.  Etc.

Cheers,
Solderpunk