ID spoofing mitigation when using JSON-LD IDs

[nickevansuk]

An ID prefix should be provided within the dataset site.

When a dataset site is used by a data user, the data user should check that they have no overlapping prefixes with other registered dataset sites (e.g. https://example.com/system1/ overlaps with https://example.com/system1/subsystem1).

The dataset site's own domain must also match the dataset site's ID prefix.

Additionally the the data user should check that all opportunity and offer IDs within the data feeds linked from the dataset site match the specified ID prefix.

This mitigates the risk of ID spoofing: where an attacker could impersonate another booking system by simply using their IDs.

[thill-odi]

I agree on the need to minimise the risk of spoofing - but I fear we might be constraining publisher identifiers too much if we insist that every data item they publish exhibit the same prefix. Would an array of ID prefixes be an acceptable compromise?

[nickevansuk]

Sure, if they have multiple data-centres for example?

Yes makes sense, and perhaps the invariant of "no overlapping prefixes" holds within that array too?