-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow JSON-LD documents to "pin" their @contexts and @imports #422
Comments
My understanding is that That section also references and reuses the Subresource Integrity spec. |
There has been a fairly large amount of discussion of the general topic of Data and Resource Integrity in the context of the Credentials CG and the Verifiable Credentials WG. This also feeds into the question of whether it's needed to address a document including all its intricacies (comments, formatting, etc.), or some content of that document (such as the RDF statements contained within a Turtle document, where the Turtle could be changed substantially without changing the RDF), and that led to the launch of the RDF Dataset Canonicalization and Hash Working Group. See also
|
https://medium.com/@markus.sabadello/json-ld-vcs-are-not-just-json-4488d279be43 by @peacekeeper points out that if someone signs the bytes of a JSON-LD document, the recipient of that signature can't be confident they're reading the same meaning that the signer intended, because the
@context
value might have changed by the time they fetch it.The Verifiable Credentials spec approaches this problem in https://w3c.github.io/vc-data-model/#base-context by saying that implementations must treat https://www.w3.org/ns/credentials/v2 as already-retrieved, and that the fixed version must have a particular hash. This works for that base context, but as @peacekeeper pointed out, VCs can still include other contexts that aren't constrained. This approach also isn't grounded in the JSON-LD algorithms, which just say to dereference the
@context
s' values without this hash check.https://w3c.github.io/webappsec-subresource-integrity/ solves this problem for subresources within HTML by allowing authors to specify the expected digest for the bytes of the subresource. Parts of that design might be useful for building a similar capability into JSON-LD.
It's also possible to cache the
@context
s (and any other dereferenced fields, like@import
) using their digests. https://hillbrad.github.io/sri-addressable-caching/sri-addressable-caching.html discusses some difficulties for the web context, but many of those might not apply to most JSON-LD use cases.The text was updated successfully, but these errors were encountered: