Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add normative requirements regarding media type and proof #1014
Add normative requirements regarding media type and proof #1014
Changes from 3 commits
f63e8ea922ceee9e5485ba99fe01File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, I'm for removing this statement all together, it doesn't seem to be useful and having it seems unnecessarily restrictive and counterintuitive. A verifiable credential is also a credential. Whether it's safe to use is a matter of actually trying to verify its proof, not some metadata statement specifying a media type. We shouldn't imply otherwise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this statement +1. When reading this suggested change as an implementer it tells me something very important about how I can handle the data for this media type, that I'm applying different rules to this content than I would if I'm expecting/requiring an embedded proof.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@quartzjer,
Can you make that more concrete with an example? Then, in your example (of your choice), suppose I hand you a credential that has an embedded proof in one case and I hand you a credential that does not in another, but both are tagged with the same media type. What would you do differently and why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm merging #1014 (comment)
based on the support I can see for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes, no that's dangerous to train devs to think in those terms. If you are performing a security process by purely doing media type detection you're setting yourself up for failure... you need to check the security characteristics of the message because we have good data now that developers don't always get media types right. Purely switching off of media type with guidance along the lines of "you can trust this" or "you cannot trust this" enables attackers to have another attack vector. That should probably be what we convey in this media types guidance... that the media type is a decent signal, but you shouldn't be making security decisions purely off of it.