# Interoperable use of JSON for `did:web` DIDs As currently specified, the [did:web method](https://w3c-ccg.github.io/did-method-web/) hardcodes a `.json` extension for DID document retrieval, be it from the `.well-known` default or for specific users. It simultaneously expects that document to be a JSON-LD document (see step 3 under [Create](https://w3c-ccg.github.io/did-method-web/#create-register)). At the same time, the [DID Implementation Guide](https://www.w3.org/TR/did-imp-guide/) has a [whole multipage section](https://www.w3.org/TR/did-imp-guide/#drawbacks) cautioning against the risks involved in mixing up JSON and JSON-LD, and not using the prescribed media types being `application/did+json` and `application/did+ld+json`. This is cause for some consternation. If there is one thing that the past 30 years of standards have taught us, it's that, particularly in a heavily distributed context with many actors and no central enforcement, you get *a lot* more interoperability by creating standards that match how people use technology rather than trying to shoehorn people into some narrow pet peeve about correctness. There's a lot more of them than there are of you, and implementers care more about making their users happy than standard wonks. The truth of the matter is that the vast majority of `did:web` documents are, because their URLs end in `.json`, going to be served as `application/json`. In fact it's very likely that DID documents in general (at least those that use a JSON syntax), being produced and served using JSON tools, are going to end up serving their documents as `application/json` no matter what. And the second that this is common, processors will just accept it. Now, in a perfect world people would stop making up media types like `application/did+ld+json` that won't gain traction, but this isn't a perfect world and the Implementation Guide's warning about attacks based on differing semantics between JSON and JSON-LD are real. This kind of attack is *exactly* what you get from using media types in this way and is the primary reason why authoritative metadata must die a fiery death. Here's the fix: we need to define how DID processors process `application/json` documents. This is done as follows: 1. If there is an `@context` key at the root of the document, process it according to the JSON-LD rules. If you aren't able to do so, then reject the document. 2. Otherwise, process the document according to the JSON rules. If you aren't able to do so, then reject the document. That's it. The benefits are that: * This is a lot more robust and is safe against authoritative metadata antipatterns. * It matches likely real-world usage. * It makes it possible to completely ignore `application/did+json` and `application/did+ld+json`.
Last changed by  
Robin Berjon
721

Read more

HTTP Governance Code

100 Continue

3/21/2024
Basic IPFS User Stories

sync, deletion, version, retrieve, verify

2/21/2024
Issues & Action Items

This document captures how the Board manages issues and action items.

2/5/2024
Ecosystem Layer

Abstract

8/24/2023
Read more from Robin Berjon
Published on HackMD