Tim Panton

Does your org own your domain name and trademark?

If not - make a fallback plan now!

I'm watching in horror as the W3C tries to retain control over its domain w3.org and the w3c trademark, which to date has been held on its behalf by MIT.

MIT's lawyers seem to me to have spotted an opportunity to make some money by gouging the not-for-profit standards body.

Dec 17, 2022 at 10:56amWeb
Show threadTim PantonDec 17, 2022

In case anyone was wondering why this matters:

xmlns="http://www.w3.org/1999/xhtml" is why.

(Update - TIL - Modern apps don’t actually fetch these references. So the next bit is wrong for most important cases)

If www.w3.org breaks - then _all_ those xml schema all over the web and in apps break too.

So it isn't a little not-for-profit corp matter.
It's an #infosec #ddos matter .

XHTML namespace

Show threadRairiiDec 17, 2022
@steely_glint XML sucks anyway, i'm all for the anarchy this would cause
Show threadTim PantonDec 17, 2022
@Rairii Hah, I have a soft spot for xml - I do know what you mean - but it underpins web things like SVG too.
Show threadThe DoctorDec 17, 2022

@Rairii @steely_glint XML sucks ass in multiple universes simultaneously.

However, it'd also mess with your site.

Show threadElias MårtensonDec 17, 2022

@steely_glint The namespace names have the forms of URL's, but they are not actually addresses. It's just a pretty bad way to make them unique.

There is a convention to put documentation about the namespace on that URL, but that's not required.

Show threadTim PantonDec 17, 2022
@loke True - but what about schemas ?
Show threadAndrew JorgensenDec 17, 2022
@steely_glint @loke user agents aren't supposed to actually fetch schema unless they don't already know about them. Browsers should all know the schema without fetching. There are of course programs that do fetch schema, but that's considered a risk.
Show threadElias MårtensonDec 17, 2022

@ajorg @steely_glint Most XML parser should know about the W3C schemas as standard and would not need to fetch them from the w3c site, as far as I know.

Also, most security recommendations suggests to disable all external downloads, so the impact would be minimal, I think.

Show threadTim PantonDec 17, 2022
@loke @ajorg that’s good to know. I haven’t worked with xml for a couple of decades. Things have improved it seems.
Show threadAndrew JorgensenDec 17, 2022
@steely_glint @loke yeah, I do recall that in the early days fetching schema was expected. XML is just too complicated for that to be safe.
Show threadThe DoctorDec 17, 2022
@steely_glint How feasible would it be to make a local copy of that file, self host it, and change the URL? Pre-coffee it seems pretty straightforward.
Show threadTim PantonDec 17, 2022
@drwho I am (as I discovered today) shockingly out of date on xml.
But my understanding is that in some cases the url is what matters, in others the content is important. If you know which camp your app falls into, and it is the second, then yes, that would work, indeed it is considered best practice.
Show threadThe DoctorDec 17, 2022
@steely_glint How could one tell?
Show threadNemo_bis 🌈Dec 17, 2022
@drwho Usually by asking your XML parser to enforce the schema. Often that requires you to provide the schemas somewhere, e.g. from local copies or by download from some place.
Show threadThe DoctorDec 18, 2022
@steely_glint Hmm. Makes me wonder how badly web browsers have fucked this seemingly elementary thing up.
Show threadNemo_bis 🌈Dec 17, 2022
@steely_glint Are you implying that MIT is more likely to break those URLs than the alternative holder? Why?
Show threadThe DoctorDec 17, 2022
@steely_glint Leandra's mirroring that site right now, just in case.
Show threadTomalakDec 17, 2022

@steely_glint Not true. No XML parser actually fetches the namespace URIs.

Namespace URIs are strings. Their only purpose is to be a) uniqe and b) well-known. Whether there actually is anything at the URL in question is completely irrelevant. XML parsers do not care, and do not ever try to fetch anything from them. Nothing will break when whatever organization came up with a namespace changes their name or ceases to exist.

Show threadTim PantonDec 17, 2022

@tomalak Yes, you are right, I updated the post to correct this.

I am (as I said elsewhere in replies) 20 years out of date with XML. Back then we did read in public schemas, but that's now not done either.

Thanks for pointing out my error.

Show threadTomalakDec 17, 2022

@steely_glint It's a common mistake to make, I've seen tons of people on Stack Overflow over the years making the same assumption, that's why my "hold up" reaction came so quickly. :)

Generally XML namespaces seem to confuse people even though they're quite straightforward.

Show threadBill WoodcockDec 17, 2022
@steely_glint Only one company owns .ORG domains, and it's not the registrant. So, yes, if you depend on a .org domain, you definitely need a backup plan. Next round of TLD applications should be open in another year or two.
Show threadTim PantonDec 17, 2022

@woody If I understand the W3.org thing correctly - MIT are the registrant and are using this as a lever to extract money from a not-for-profit - Who is the owner of .org ?

(or is this a Voldemort thing where the name is _never_ mentioned....)

Show threadBill WoodcockDec 17, 2022
@steely_glint The answer is many-layered. Functionally, the "owner" is PIR, which is in turn owned by ISOC. The primary beneficiary is "Ethos," a private-equity firm which, uh... Well, you can find out about them if they haven't sufficiently scrubbed search results.
Show threadKevin P. FlemingDec 17, 2022
@steely_glint @woody The underlying issue is that until very recently, the W3C was not itself a legal entity, but was instead a brand name for a combined effort organized by its host organizations (with MIT being both the creator and the largest host).
Show threadTim PantonDec 17, 2022

@kevin @woody

There is an important lesson here - create a legal entity the moment (or the moment before) you have any assets to hold.

Depending on the kindness of others is asking for future trouble.

Show threadKevin P. FlemingDec 17, 2022
@steely_glint @woody Or use a compatible fiscal host with a mission that aligns with yours - that's more relevant for open source software projects, but still important.
Show threadTim PantonDec 17, 2022
@kevin @woody Indeed, Fiscal hosts were mentioned on our podcast https://distributedfutu.re/#episode79 - but it would be interesting to learn more about them.
Distributed Future - a podcast

Show threadBill WoodcockDec 17, 2022
@kevin @steely_glint The IETF has had exactly the same problem.
Show threadLudovic :Firefox: :FreeBSD:Dec 17, 2022
@steely_glint I thought you meant Wikipedia
Show thread${jndi:blit32 💻Dec 17, 2022
@steely_glint can you point me to some source marrying what is going on with w3c.org? I’m out of the loop since this is the first time I heard about issues with the domain and DuckDuckGo didn’t give back any useful results
Show threadTim PantonDec 17, 2022
@blit32 best bet is to follow @robin - or if your org is a w3c member have a chat with your AC rep who will have been getting members only updates.
Show thread${jndi:blit32 💻Dec 17, 2022
@steely_glint @robin Thanks!
Show threadjonl316Dec 17, 2022
@steely_glint WOW!! that is rediculous!!