w3c-ccg / security-vocab

The Linked Data Security Vocabulary
https://w3id.org/security
Other
21 stars 21 forks source link

Should id IRIs be prefixed with www? #113

Closed kdenhartog closed 2 years ago

kdenhartog commented 3 years ago

Currently we're using https://w3id.org/security for our IRI values. However, with the DID and VC contexts we use a www prefix in the id properties. I'd like to find a common pattern that I can provide my team with when making sure that contexts are being done properly. With that, I'd like to propose the following best practices for JSON-LD id properties defined in a context.

  1. The id SHOULD be an https:// URL
  2. The id URL SHOULD point to a semantic definition
  3. When using w3id.org, a www subdomain MUST NOT be used.
  4. When using w3.org, a www subdomain MUST be used.

Main reason for the divergence on 3 and 4 is because it represents the fewest breaking changes. However, I'm open to reconciling 3 and 4 so that all ideas use/do not use www.

davidlehn commented 3 years ago

This is phrased oddly if the aim is for context creation best practices. Ids in contexts need to match how those properties are defined elsewhere. You just have to use the correct exact URLs so there's not much of a best practices when creating a context.

Current best practices for creating new properties would likely be to use HTTPS. But I don't think that was the issue here.

Note there is a significant amount of data online that uses ids that are HTTP for historic reasons. Those properties can't easily be changed without introducing complexities like equivalence mapping and inference engines. So if properties are defined as HTTP, just use that. There might be security implications when dereferencing those ids, but the ids themselves are fine as http.

As far as ids using certain domains, the best practices will depend on what those domains support. www is somewhat arbitrary, and it could just as well be something like https://ids.example.com/. Ids can even use non http based schemes.

In the case of w3id.org, as a maintainer there I'd say please use https://w3id.org/. http traffic is supported, but it just redirects to https so would at a minimum be inefficient. I had forgotten this, but looks like www.w3id.org works too. I think that may have been less intentional and more an artifact of the defaults of registrars, certificates, and servers.

I can't speak for what official w3.org policies are but they certainly do redirect many bare domain requests to a www version. Note that doesn't mean that all w3.org ids in specs are https or include www.

The important context creation best practice in all this is to just use ids as they are defined in specs and related docs.

kdenhartog commented 2 years ago

I had forgotten this, but looks like www.w3id.org works too. I think that may have been less intentional and more an artifact of the defaults of registrars, certificates, and servers.

Yup that's what I was focusing on with this. I think this issue should actually be addressed in JSON-LD to encourage best practices (probably doesn't require normative changes)

practically speaking I don't think there's anything that can be done in this repo for it though so I'm good with closing this issue with no action.