- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 6 Feb 2021 10:33:20 -0500
- To: Ivan Herman <ivan@w3.org>
- Cc: W3C VC Working Group <public-vc-wg@w3.org>
On 2/6/21 2:53 AM, Ivan Herman wrote: > "W3C should fix this": what do you mean? The WG's decision was to keep the > context file on github, and to set up a redirection. Do you mean that the > context files should be copied and stored on W3C? Yes, the v1 context files should be frozen, copied, stored, and served from W3C. W3C is supposed to be the authority of the Verifiable Credentials v1 context. At present, the W3C Verifiable Credentials global standard depends on the infrastructure of a private company -- Microsoft (who owns Github). We should fix that. :) We also have people that have access to the Github repository that don't have two-factor authentication turned on and could inject things (either on purpose or accidentally) into Github-served context. We don't want to allow an accident to turn into an attack vector. No one is supposed to be loading the v1 context off of the Web, but we know that not all developers are careful about reading specifications or implementing security protocols properly or paying attention to these sorts of details. > All that being said: we may not want to overreact. The intent was always to freeze the v1 context and to serve the content off of W3C servers (because of W3C's Process and archival agreements w/ multiple institutions that are centuries old). I think all we're doing here is making sure we implement the original intent. :) -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Saturday, 6 February 2021 15:33:38 UTC