Re: Chartering work has started for a Linked Data Signature Working Group @W3C from Manu Sporny on 2021-06-04 (semantic-web@w3.org from June 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 4 Jun 2021 12:00:09 -0400
To: semantic-web@w3.org
Message-ID: <cef19075-9a22-655b-3af4-680164406e85@digitalbazaar.com>

On 6/4/21 10:16 AM, Dan Brickley wrote:
> That does sound really really bad.

What, specifically, sounds really really bad? Please define "that".

What the response above sounds like is this:

"""
It sounds really, really bad that the software Manu wrote for Peter implements
a known best practice to not, by default, load JSON-LD Contexts from the
network, and instead load known good values from disk, when performing a
digital signature.
"""

It sounds like you're making an argument against a best practice. What part of
what I said sounded bad to you?

> Perhaps the WG charter should cover only use of self-contained Linked Data
> / RDF format, eg Turtle/TRiG?

If you are loading a JSON-LD Context from disk, it is self-contained Linked
Data. If you are using embedded JSON-LD Contexts, it is self-contained Linked
Data.

A significant number of use cases exist in the Verifiable Credentials
ecosystem, which is JSON-LD that refers to JSON-LD Contexts using HTTP Links
and loads them from disk. We shouldn't be talking about putting those use
cases out of scope since that is a significant amount of the implementer
community for this work.

> And then try to secure hypertext / multi-stakeholder RDF syntaxes (json-ld,
> grddl, ...) as a stretch goal rather than core business?

As Ivan mentioned, this is already covered by previous changes that were made
to the Charter based on your input. This "don't load remote contexts when
doing a digital signature" falls under "additional Linked Data Integrity
techniques" in "Other Deliverables". It's not mentioned in the core LDP
algorithms because it's an "additional Linked Data Integrity technique"... we
will probably want to speak to it in the Security Considerations.

I will note that we put this stuff out of the critical path because it was
requested to not be a focus of the group and now people are simultaneously
frustrated that it's not mentioned in the LDP algorithm (Peter) and not
completely out of scope (you).

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Friday, 4 June 2021 16:01:42 UTC