Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow JSON-LD documents to "pin" their @contexts and @imports #422

Open
jyasskin opened this issue Nov 14, 2023 · 2 comments
Open

Allow JSON-LD documents to "pin" their @contexts and @imports #422

jyasskin opened this issue Nov 14, 2023 · 2 comments

Comments

@jyasskin
Copy link
Member

https://medium.com/@markus.sabadello/json-ld-vcs-are-not-just-json-4488d279be43 by @peacekeeper points out that if someone signs the bytes of a JSON-LD document, the recipient of that signature can't be confident they're reading the same meaning that the signer intended, because the @context value might have changed by the time they fetch it.

The Verifiable Credentials spec approaches this problem in https://w3c.github.io/vc-data-model/#base-context by saying that implementations must treat https://www.w3.org/ns/credentials/v2 as already-retrieved, and that the fixed version must have a particular hash. This works for that base context, but as @peacekeeper pointed out, VCs can still include other contexts that aren't constrained. This approach also isn't grounded in the JSON-LD algorithms, which just say to dereference the @contexts' values without this hash check.

https://w3c.github.io/webappsec-subresource-integrity/ solves this problem for subresources within HTML by allowing authors to specify the expected digest for the bytes of the subresource. Parts of that design might be useful for building a similar capability into JSON-LD.

It's also possible to cache the @contexts (and any other dereferenced fields, like @import) using their digests. https://hillbrad.github.io/sri-addressable-caching/sri-addressable-caching.html discusses some difficulties for the web context, but many of those might not apply to most JSON-LD use cases.
@peacekeeper
Copy link

My understanding is that relatedResource is a proposed way to address this, e.g. see this example:
https://w3c.github.io/vc-data-model/#example-usage-of-the-relatedresource-property

That section also references and reuses the Subresource Integrity spec.

@TallTed
Copy link
Member

TallTed commented Nov 15, 2023

relatedResource on its own is an untyped link, akin to <a href="..."> with no other attributes (most commonly rel), and should not be encouraged in our quest to make the web more semantically processable.

There has been a fairly large amount of discussion of the general topic of Data and Resource Integrity in the context of the Credentials CG and the Verifiable Credentials WG.

This also feeds into the question of whether it's needed to address a document including all its intricacies (comments, formatting, etc.), or some content of that document (such as the RDF statements contained within a Turtle document, where the Turtle could be changed substantially without changing the RDF), and that led to the launch of the RDF Dataset Canonicalization and Hash Working Group.

See also

@jyasskin jyasskin mentioned this issue Nov 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
JSON-LD Management
Status: Future Work
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jyasskin @peacekeeper @TallTed