second-guess the choice to use .well-known for type metadata documents

[bc-pi]

Dr. Fett, PhD:

Gentlemen,
Some feedback I received (on top of the comments we already got in the issuers) makes me second-guess the choice to use a .well-known URL for the type metadata documents. In fact, RFC 5785 tells us that .well-known is mainly to be used for site-wide information or information about a specific host.

As such, the well-known URI space was created with the expectation
that it will be used to make site-wide policy information and other
metadata available directly (if sufficiently concise), or provide
references to other URIs that provide such metadata.

Brian Campbell, B.A.:

That feedback seems not wrong to me. We've got probably a lot of somewhat questionable uses of .well-known but type metadata is maybe less well suited than most. And less needed.
It could just point to the json document. Or we make up some convention. Or something with uri templates.

[danielfett]

Relevant related issues: #256, #242, #233

[alenhorvat]

I believe that lifting the restriction is not preventing the use of .well-known;
IMO there are two approaches

• provide the full link
• signal that the metadata is under the well-known

However, metadata owner must be aware of the responsibility to take care of the versioning. As mentioned in #256, should there be a requirement to either use hash links or protect the remote content via vct#digest?

Dr. Horvat, PhD

[danielfett]

Maybe I'm missing something, but the change in PR #272 should mostly solve this, I think. It now requires to provide the full URL to the metadata. (If someone wants to provide it under .well-known, that is their choice, but doesn't influence the requester at all).

For versioning I filed a new issue. Not sure about making #digest mandatory, but we should also discuss this separately.

[alenhorvat]

#digest mandatory, but we should also discuss this separately.

-> if it's an external resource, it should be defined how it is protected