- From: alex thompson <pierogitus@hotmail.com>
- Date: Thu, 30 Apr 2020 00:04:54 +0000
- To: Kim Hamilton <kimdhamilton@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>
- CC: "public-credentials@w3.org" <public-credentials@w3.org>, "markus@danubetech.com" <markus@danubetech.com>
- Message-ID: <BY5PR20MB289839C482AFD8458195F543D2AD0@BY5PR20MB2898.namprd20.prod.outlook.com>
Manu, I agree with trying to encourage the scheme syntax ("hl:"). I'll make a pull request that tries not to impede that goal. One last point, what do you think about not using "=" so you would have a query like ?key1&key2=v2 key1 would be the entire hashlink not just "hl" which eliminates key collisions. It would need another delimiter which I propose as double hyphen "--" and you could even use the metadata part as hl--HHHHH--MMMMM My rationale is that because this is such a hack it should have a more distinct syntax than regular url params. Alex ________________________________ From: Kim Hamilton <kimdhamilton@gmail.com> Sent: Tuesday, April 28, 2020 6:16 PM To: Manu Sporny <msporny@digitalbazaar.com> Cc: alex thompson <pierogitus@hotmail.com>; public-credentials@w3.org <public-credentials@w3.org> Subject: Re: Hashlink parameterized URL Thanks Manu, this was very helpful context for me. Regarding: > "hl" colliding with an existing parameter is one of the drawbacks of using it as a query parameter or a fragment identifier. The spec doesn't say this, but should. Can someone open an issue for that, please? I opened an issue for it: https://github.com/w3c-ccg/hashlink/issues/11<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c-ccg%2Fhashlink%2Fissues%2F11&data=02%7C01%7C%7C6854fb669aaa44cad45608d7ebdaf69a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637237197974813844&sdata=HQ3gzS%2BYNEMXNDDWCCBasJixegqyeSciPvTpMDe33NU%3D&reserved=0> Thanks, Kim On Sun, Apr 26, 2020 at 8:08 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote: On 4/22/20 7:50 PM, Kim Hamilton wrote: > what's interesting is that this introduces some tooling on the caller > side I hadn't thought about til now. This is presented as a query > parameter, yet callers are simply stripping this off before sending* and > checking the response hash. Yeah, and this is the hacky part of it (and always has been). Remember, using the ?hl=HHHHHH or #hl-HHHHHHHH syntax *is a hack*, it's in the spec because people have legacy systems that they want to hack to upgrade them to have some sort of content protection. For example, JSON-LD Contexts w/ a ?hl=NNNNN value on them would be used by JSON-LD Document Loaders, which would send the value to the server, get the response back, and then check to make sure the server sent them what they asked for. Again, hacky hack, but useful if you don't want to fully commit to the "@context": "hl:HHHHHHHH:MMMMMMM" format, for example. I've been pleading with people to use the latter form (the one in this paragraph) ever since the spec came into existence, but people have their own ideas about why using it as a query parameter or fragment identifier absolutely has to be done in their particular use case. > *for a range of concerns: we don't trust the response, and also what if > "hl" collides with an existing parameter or fails because it doesn't > recognize. "hl" colliding with an existing parameter is one of the drawbacks of using it as a query parameter or a fragment identifier. The spec doesn't say this, but should. Can someone open an issue for that, please? Also, can someone (Alex?) open an issue for encoding as a fragment identifier as another option? > It's weird that we express it as a query parameter and then not use it > that way. Not complaining, just surprised. Servers should pay attention to all query parameters. If the server responds, it's because it processed the query parameters w/o error (yes, that might be that the code path doesn't know anything about "?hl", but that's the world we live in... and is why the client should always check the result. Again, broken record, but -- please don't use "?hl=HHHHH" syntax! It is brittle. Please, please, please use "hl:HHHHH:MMMMM" syntax if remotely possible... it's the most secure option. The reason "?hl=HHHHHH" is useful is because the server can actually produce different results for different hashes at the same URL. For example: https://w3id.org/security/latest?hl=12345<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3id.org%2Fsecurity%2Flatest%3Fhl%3D12345&data=02%7C01%7C%7C6854fb669aaa44cad45608d7ebdaf69a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637237197974823838&sdata=G%2Bh90JmVkSmHvR5EXvI%2BupJG4sDAmTzfX3kTzqLAh8U%3D&reserved=0> https://w3id.org/security/latest?hl=6789<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3id.org%2Fsecurity%2Flatest%3Fhl%3D6789&data=02%7C01%7C%7C6854fb669aaa44cad45608d7ebdaf69a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637237197974823838&sdata=arnt%2FSQ1LnBQ%2FzSNq%2BxYWO8hq3mE2rbsokzkUsv1FQ0%3D&reserved=0> The two base URLs w/o query parameters above are actually two different resources... doing the above would be compatible w/ all URL fetching libraries today, but it would allow people to choose the bleeding edge they're working on w/o causing the URL maintainers to keep upgrading the base URL. Orie, if you're seeing this, doing so would allow us to manage the DID Specification Registries JSON-LD Context in a way that would enable people to lock into a particular version of the registry while not holding up everyone else. Yes, it would mean hundreds of JSON-LD Contexts, but that is a natural result of the decision that the DID WG made. In any case, we may want to consider this, rather than .../did/registries/v1 -> .../did/registries/v83 Kim, Alex, was this helpful? -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&data=02%7C01%7C%7C6854fb669aaa44cad45608d7ebdaf69a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637237197974833836&sdata=jYov8HWS9prwXGBuGbctcH1xYR1WizqCue9kG2yV9Ws%3D&reserved=0> Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftinyurl.com%2Fveres-one-launches&data=02%7C01%7C%7C6854fb669aaa44cad45608d7ebdaf69a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637237197974833836&sdata=XlIUerRpPm%2FEFgKvGyUITYqmG7wyemSuWLM2O14Zyd4%3D&reserved=0>
Received on Thursday, 30 April 2020 00:05:08 UTC