-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
expires
header for https://www.w3.org/2018/credentials/v1 is in the past
#1239
Comments
Suggest updating the cache time to infinity... / make it never expire, apply the same thing to v2 context. |
The issue was discussed in a meeting on 2023-08-15
View the transcript2.5.
|
I am not a good apache expert. Before updating on the server, I would like to get some comments on the .htaccess file. The relevant parts would then be:
@OR13 I did not find a way to make the expiration time set to infinite. But I actually prefer to keep a regular refresh request, in the case there is a bug in the file that needs change. Even the one month access seems to be fairly large; @jeswr requested a single day... @msporny I guess you have some experience via w3id... |
cc @deniak your reaction is also crucial... |
@jeswr wrote:
You should be permanently caching that context file and not loading it from the Web (unless you have a very good reason that you're not caching the file). We suggested that implementers do this in v1 and v1.1, and we are STRONGLY advising that you do this from v2 and beyond. Search for the word "cache" in the latest data model specification for more information: https://www.w3.org/TR/vc-data-model-2.0/ ... or, see the next-to-last paragraph in this section for specific guidance: https://www.w3.org/TR/vc-data-model-2.0/#json-ld NOTE: Don't permanently cache the v2 context until the v2.0 specification becomes a global standard (expected by end of Q2 2024. @OR13 wrote:
No, we don't want to set it to infinity for the reasons Ivan stated. One accidental admin change to the file and we could permanently knock a number of implementations offline. We need to design for human error, and eventual recovery (even for systems that are implemented in ways that we don't approve of) no matter how remote the possibility. A day, week, or month seems like a reasonable expiry time (depending on how conservative we want to be). @iherman wrote:
w3id.org uses a "heuristically cacheable" approach (but does not provide a "Last-Modified" header by default): https://www.rfc-editor.org/rfc/rfc9111#section-4.2.2 ... and that's not a good model here. We want to be explicit w/ the expiry time, for both the v1 and v2 context. |
Once the TR happens, doesn't setting the cache to anything other than infinity signal we expect the context to change? I get the argument about malicious admins... But it would seem a better defense to set the cache time to infinity when you know it's correct, than it would be to encourage clients to load a context that expired, because the latter will actually lead to broken signatures in the case of an insider threat. |
All recommendations, or adjacent files like the context file, may have errata, and W3C does republish recommendations with such errata handling time-to-time, when needed. The same is true for a context file. |
The issue was discussed in a meeting on 2024-01-24
View the transcript2.8.
|
Based on the Apache expire module settings, what seems doable is to add the following statement into the
(There is no statement to set the expiration for a specific file. Alas!) However, the same Proposal: postpone this change until we publish our Recs. At that point the vocabulary files will have to be collected on W3C date space for finalization, and we can look at the policy altogether instead of making such punctual changes. |
The issue was discussed in a meeting on 2024-02-28
View the transcript3.3.
|
The issue was discussed in a meeting on 2024-03-06
View the transcript2.6.
|
Below is a screenshot of the response headers I received when looking up https://www.w3.org/2018/credentials/v1.
The
expires
header is earlier than the date header which means that the document is not being cached by my browser - and hence the document is taking several hundred ms on each request rather than only the first request taking that long.This can significantly slow down the time it takes to parse VCs as JSON-LD.
Headers:
Timing:
Since this context is presumably quite stable I would request that the document be given a fairly long expiry after the date it is requested (at minimum 1 day).
The text was updated successfully, but these errors were encountered: