diff --git a/index.html b/index.html index e61ec2c..e277b4a 100644 --- a/index.html +++ b/index.html @@ -521,7 +521,7 @@
Note that authorization provided by the value of `controller` is separate from authentication as described in Section [[[#authentication]]]. -This is particularly important for key recovery in the case of cryptographic key -loss, where the [=subject=] no longer has access to their keys, or key -compromise, where the [=controller=]'s trusted third parties need to +This is particularly important for key recovery in the cases of cryptographic key +loss, where the [=subject=] no longer has access to their keys, or cryptographic +key compromise, where the [=controller=]'s trusted third parties need to override malicious activity by an attacker. See [[[#security-considerations]]] for information related to threat models and attack vectors.
@@ -659,8 +659,8 @@-A [=subject=] can have multiple identifiers for different purposes, or -at different times. The assertion that two or more identifiers (or other types +A [=subject=] can have multiple identifiers that are used for different purposes +or at different times. The assertion that two or more identifiers (or other types of URI) refer to the same [=subject=] can be made using the `alsoKnownAs` property.
@@ -668,7 +668,7 @@Applications might choose to consider two identifiers related by `alsoKnownAs` -to be equivalent if the `alsoKnownAs` relationship is reciprocated in -the reverse direction. It is best practice not to consider them -equivalent in the absence of this inverse relationship. In other words, the -presence of an `alsoKnownAs` assertion does not prove that this assertion is -true. Therefore, it is strongly advised that a requesting party obtain +to be equivalent if the `alsoKnownAs` relationship expressed in the +controller document of one [=subject=] is also expressed in the reverse direction +(i.e., reciprocated) in the controller document of the other [=subject=]. It is +best practice not to consider them +equivalent in the absence of this reciprocating relationship. In other words, +the presence of an `alsoKnownAs` assertion does not prove that this assertion +is true. Therefore, it is strongly advised that a requesting party obtain independent verification of an `alsoKnownAs` assertion.
Given that the [=subject=] might use different identifiers for different -purposes, an expectation of strong equivalence between the two identifiers, or -merging the information of the two corresponding [=controller documents=], is +purposes, such as enhanced privacy protection, an expectation of strong +equivalence between the two identifiers, or taking action to +merge the information from the two corresponding [=controller documents=], is not necessarily appropriate, even with a reciprocal relationship.
Context injection is expected to be unnecessary sometimes, such as when the Verifiable Credential Data Model v2.0 context (`https://www.w3.org/ns/credentials/v2`) -exists as a value in the `@context` property, as that context map all of the +exists as a value in the `@context` property, as that context maps all of the necessary Data Integrity terms that were previously mapped by `https://w3id.org/security/data-integrity/v2`.