Network Working Group A. Dulaunoy Internet-Draft CIRCL Intended status: Informational 20 March 2026 Expires: 21 September 2026 The Open Contributions Descriptor draft-dulaunoy-open-contributions-descriptor-00 Abstract This document defines the Open Contributions Descriptor (OCD), a JSON format for publishing machine-readable metadata about an organization's participation in the open ecosystem. OCD allows organizations to publish a single discovery document describing open source projects, open data publications, open standards participation, contact information, governance material, and declared relationships to external organizations and projects. OCD is intended to be published at a predictable well-known location to support automated discovery, indexing, and ecosystem analysis. Note to Readers This Internet-Draft is derived from the working specification maintained by the Open Contributions Descriptor project in its public Git repository (https://github.com/ossbase-org/Open-Contributions- Descriptor). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 21 September 2026. Dulaunoy Expires 21 September 2026 [Page 1] Internet-Draft Open Contributions Descriptor March 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Publication and Discovery . . . . . . . . . . . . . . . . . . 3 4. Document Model . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. spec_version . . . . . . . . . . . . . . . . . . . . . . 6 4.2. generated_at . . . . . . . . . . . . . . . . . . . . . . 6 4.3. organization . . . . . . . . . . . . . . . . . . . . . . 6 4.3.1. organization.links . . . . . . . . . . . . . . . . . 6 4.4. contacts . . . . . . . . . . . . . . . . . . . . . . . . 7 4.5. policies . . . . . . . . . . . . . . . . . . . . . . . . 7 4.6. projects . . . . . . . . . . . . . . . . . . . . . . . . 8 4.6.1. Project Object . . . . . . . . . . . . . . . . . . . 8 4.6.2. repository . . . . . . . . . . . . . . . . . . . . . 9 4.6.3. links . . . . . . . . . . . . . . . . . . . . . . . . 9 4.6.4. links.metadata . . . . . . . . . . . . . . . . . . . 9 4.6.5. participate . . . . . . . . . . . . . . . . . . . . . 10 4.6.6. governance . . . . . . . . . . . . . . . . . . . . . 10 4.6.7. release . . . . . . . . . . . . . . . . . . . . . . . 10 4.7. open_data . . . . . . . . . . . . . . . . . . . . . . . . 10 4.7.1. open_data.urls . . . . . . . . . . . . . . . . . . . 11 4.8. open_standards . . . . . . . . . . . . . . . . . . . . . 11 4.8.1. contributions . . . . . . . . . . . . . . . . . . . . 12 4.9. relationships . . . . . . . . . . . . . . . . . . . . . . 12 4.9.1. target . . . . . . . . . . . . . . . . . . . . . . . 14 4.9.2. target.project . . . . . . . . . . . . . . . . . . . 14 4.9.3. evidence . . . . . . . . . . . . . . . . . . . . . . 15 4.10. extensions . . . . . . . . . . . . . . . . . . . . . . . 15 5. Validation and Processing Rules . . . . . . . . . . . . . . . 15 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9. Normative References . . . . . . . . . . . . . . . . . . . . 20 Appendix A. References . . . . . . . . . . . . . . . . . . . . . 20 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 Dulaunoy Expires 21 September 2026 [Page 2] Internet-Draft Open Contributions Descriptor March 2026 1. Introduction Organizations participate in the open ecosystem in many different ways, including by maintaining software, publishing datasets, contributing to standards, documenting governance, and supporting external communities. Today, this information is usually fragmented across websites, forge hosting platforms, policy pages, and standards organization portals. The Open Contributions Descriptor (OCD) defines a single JSON [RFC8259] document that aggregates this information in a predictable format. OCD is intended for both human readers and automated tooling. Example use cases include: * organizational open-source program office inventories; * cataloging of open data and public APIs; * ecosystem mapping and stewardship analysis; * transparency around standards participation; and * automated discovery of contribution entry points and contact channels. The design goals of OCD are: * provide a single discovery endpoint for organizational open activities; * support both human discovery and machine automation; * remain extensible without breaking compatibility; and * allow partial adoption where only some sections are populated. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The underlying representation of OCD is JSON as defined by [RFC8259]. Date and date-time values use RFC 3339 formatting [RFC3339]. 3. Publication and Discovery An OCD document is intended to be published at the following location: https:///.well-known/open-contributions.json Dulaunoy Expires 21 September 2026 [Page 3] Internet-Draft Open Contributions Descriptor March 2026 The use of the /.well-known/ path follows the general mechanism defined in [RFC8615]. Organizations MAY publish the same content at additional locations, but the well-known location is the canonical discovery endpoint. 4. Document Model An OCD document is a UTF-8 encoded JSON object. Unknown members MAY appear in an OCD document. Consumers MUST ignore members they do not understand, unless a profile or extension explicitly defines stricter processing rules. The top-level object has the following members. Dulaunoy Expires 21 September 2026 [Page 4] Internet-Draft Open Contributions Descriptor March 2026 +================+========+=============+===========================+ | Field | Type | Requirement | Description | +================+========+=============+===========================+ | spec_version | string | REQUIRED | Version of the OCD | | | | | specification | | | | | implemented by the | | | | | document. | +----------------+--------+-------------+---------------------------+ | generated_at | string | REQUIRED | Timestamp indicating | | | | | when the document was | | | | | generated. | +----------------+--------+-------------+---------------------------+ | organization | object | REQUIRED | Metadata describing | | | | | the publishing | | | | | organization. | +----------------+--------+-------------+---------------------------+ | contacts | object | OPTIONAL | Contact information | | | | | related to open | | | | | activities. | +----------------+--------+-------------+---------------------------+ | policies | object | OPTIONAL | Organizational | | | | | policies relevant to | | | | | openness and | | | | | participation. | +----------------+--------+-------------+---------------------------+ | projects | array | OPTIONAL | Open source projects | | | | | maintained or | | | | | contributed to. | +----------------+--------+-------------+---------------------------+ | open_data | array | OPTIONAL | Published open | | | | | datasets and feeds. | +----------------+--------+-------------+---------------------------+ | open_standards | array | OPTIONAL | Participation in | | | | | standards | | | | | organizations or | | | | | specifications. | +----------------+--------+-------------+---------------------------+ | relationships | array | OPTIONAL | Relationships to | | | | | external | | | | | organizations and | | | | | projects. | +----------------+--------+-------------+---------------------------+ | extensions | object | OPTIONAL | Organization-specific | | | | | extensions. | +----------------+--------+-------------+---------------------------+ Table 1 Dulaunoy Expires 21 September 2026 [Page 5] Internet-Draft Open Contributions Descriptor March 2026 4.1. spec_version The spec_version member identifies the version of the OCD specification used by the document. 4.2. generated_at The generated_at member MUST be an RFC 3339 date-time string. 4.3. organization The organization object describes the entity publishing the descriptor. +=============+========+=============+=============================+ | Field | Type | Requirement | Description | +=============+========+=============+=============================+ | name | string | REQUIRED | Official organization name. | +-------------+--------+-------------+-----------------------------+ | domain | string | REQUIRED | Primary domain hosting the | | | | | descriptor. | +-------------+--------+-------------+-----------------------------+ | description | string | OPTIONAL | Short description of the | | | | | organization. | +-------------+--------+-------------+-----------------------------+ | country | string | OPTIONAL | ISO 3166-1 alpha-2 country | | | | | code. | +-------------+--------+-------------+-----------------------------+ | links | object | OPTIONAL | Public organizational | | | | | links. | +-------------+--------+-------------+-----------------------------+ Table 2 4.3.1. organization.links +=================+===========================================+ | Field | Description | +=================+===========================================+ | homepage | Main organizational website. | +-----------------+-------------------------------------------+ | opensource_page | Dedicated open-source or OSPO page. | +-----------------+-------------------------------------------+ | github_org | Primary source code organization profile. | +-----------------+-------------------------------------------+ Table 3 Dulaunoy Expires 21 September 2026 [Page 6] Internet-Draft Open Contributions Descriptor March 2026 4.4. contacts The contacts object provides points of contact relevant to the publishing organization's open activities. +============+========+============================================+ | Field | Type | Description | +============+========+============================================+ | opensource | object | General open-source contact. | +------------+--------+--------------------------------------------+ | security | object | Security disclosure reference; this SHOULD | | | | point to security.txt when applicable. | +------------+--------+--------------------------------------------+ | community | object | Community engagement contact. | +------------+--------+--------------------------------------------+ Table 4 Each contact object MAY contain the following members. +=======+========+========================+ | Field | Type | Description | +=======+========+========================+ | email | string | Contact email address. | +-------+--------+------------------------+ | url | string | Contact webpage. | +-------+--------+------------------------+ Table 5 4.5. policies The policies object links to organizational governance and participation policies. +==========================+==================================+ | Field | Description | +==========================+==================================+ | code_of_conduct | Community code of conduct. | +--------------------------+----------------------------------+ | contributing | Contribution guidelines. | +--------------------------+----------------------------------+ | vulnerability_disclosure | Vulnerability disclosure policy. | +--------------------------+----------------------------------+ | license_policy | Licensing strategy or guidance. | +--------------------------+----------------------------------+ Table 6 Dulaunoy Expires 21 September 2026 [Page 7] Internet-Draft Open Contributions Descriptor March 2026 4.6. projects The projects member is an array of project objects. Each element describes one open source project. 4.6.1. Project Object The following project members are defined. +=============+========+=============+=============================+ | Field | Type | Requirement | Description | +=============+========+=============+=============================+ | name | string | REQUIRED | Project name. | +-------------+--------+-------------+-----------------------------+ | description | string | REQUIRED | Short project description. | +-------------+--------+-------------+-----------------------------+ | repository | object | REQUIRED | Source repository metadata. | +-------------+--------+-------------+-----------------------------+ | links | object | OPTIONAL | Human-facing and machine- | | | | | facing resources. | +-------------+--------+-------------+-----------------------------+ | participate | object | OPTIONAL | External contribution entry | | | | | points. | +-------------+--------+-------------+-----------------------------+ | governance | object | OPTIONAL | Governance information. | +-------------+--------+-------------+-----------------------------+ | release | object | OPTIONAL | Release and security | | | | | lifecycle information. | +-------------+--------+-------------+-----------------------------+ | status | string | OPTIONAL | Project lifecycle state. | +-------------+--------+-------------+-----------------------------+ | tags | array | OPTIONAL | Keywords describing the | | | | | project. | +-------------+--------+-------------+-----------------------------+ Table 7 Valid values for status are: * active: maintained and accepting contributions; * archived: no active development but preserved; and * disabled: service or project no longer available. Dulaunoy Expires 21 September 2026 [Page 8] Internet-Draft Open Contributions Descriptor March 2026 4.6.2. repository +=========+=============+=====================================+ | Field | Requirement | Description | +=========+=============+=====================================+ | url | REQUIRED | Canonical repository URL. | +---------+-------------+-------------------------------------+ | license | REQUIRED | SPDX license identifier. | +---------+-------------+-------------------------------------+ | type | OPTIONAL | Repository type, for example git. | +---------+-------------+-------------------------------------+ | clone | OPTIONAL | Clone URL. | +---------+-------------+-------------------------------------+ | tests | OPTIONAL | Continuous integration or test URL. | +---------+-------------+-------------------------------------+ Table 8 4.6.3. links +===============+========================================+ | Field | Description | +===============+========================================+ | project_page | Canonical human-readable project page. | +---------------+----------------------------------------+ | homepage | Organization-hosted overview page. | +---------------+----------------------------------------+ | documentation | Official documentation. | +---------------+----------------------------------------+ | demo | Live deployment or demo instance. | +---------------+----------------------------------------+ | releases | Release or download page. | +---------------+----------------------------------------+ | community | Chat, forum, or community hub. | +---------------+----------------------------------------+ | metadata | Machine-consumable descriptors. | +---------------+----------------------------------------+ Table 9 4.6.4. links.metadata +=========+===================================================+ | Field | Description | +=========+===================================================+ | openapi | URL to an OpenAPI description of the project API. | +---------+---------------------------------------------------+ Dulaunoy Expires 21 September 2026 [Page 9] Internet-Draft Open Contributions Descriptor March 2026 Table 10 Additional metadata members MAY be added. 4.6.5. participate +===================+==========================================+ | Field | Description | +===================+==========================================+ | issues | Issue tracker URL. | +-------------------+------------------------------------------+ | good_first_issues | Beginner-friendly issues. | +-------------------+------------------------------------------+ | chat | Real-time communication channel. | +-------------------+------------------------------------------+ | docs | Contribution or developer documentation. | +-------------------+------------------------------------------+ Table 11 4.6.6. governance +=============+==============================+ | Field | Description | +=============+==============================+ | maintainers | List of maintainer contacts. | +-------------+------------------------------+ | codeowners | CODEOWNERS file location. | +-------------+------------------------------+ Table 12 4.6.7. release +=================+==========================+ | Field | Description | +=================+==========================+ | changelog | Release history. | +-----------------+--------------------------+ | security_policy | Project security policy. | +-----------------+--------------------------+ Table 13 4.7. open_data The open_data member is an array of dataset objects. Dulaunoy Expires 21 September 2026 [Page 10] Internet-Draft Open Contributions Descriptor March 2026 +==================+========+=============+====================+ | Field | Type | Requirement | Description | +==================+========+=============+====================+ | name | string | REQUIRED | Dataset name. | +------------------+--------+-------------+--------------------+ | description | string | OPTIONAL | Dataset summary. | +------------------+--------+-------------+--------------------+ | license | string | REQUIRED | Data license, for | | | | | example CC-BY-4.0. | +------------------+--------+-------------+--------------------+ | publisher | string | OPTIONAL | Publishing entity. | +------------------+--------+-------------+--------------------+ | urls | object | REQUIRED | Access points. | +------------------+--------+-------------+--------------------+ | formats | array | OPTIONAL | Available formats. | +------------------+--------+-------------+--------------------+ | update_frequency | string | OPTIONAL | Publication | | | | | cadence. | +------------------+--------+-------------+--------------------+ | schema | string | OPTIONAL | Schema definition | | | | | URL. | +------------------+--------+-------------+--------------------+ | tags | array | OPTIONAL | Dataset | | | | | categories. | +------------------+--------+-------------+--------------------+ Table 14 4.7.1. open_data.urls +==============+==============================+ | Field | Description | +==============+==============================+ | landing_page | Human-readable dataset page. | +--------------+------------------------------+ | download | Direct dataset download. | +--------------+------------------------------+ | api | API endpoint. | +--------------+------------------------------+ Table 15 4.8. open_standards The open_standards member is an array describing participation in standards bodies. Dulaunoy Expires 21 September 2026 [Page 11] Internet-Draft Open Contributions Descriptor March 2026 +================+========+==========================+ | Field | Type | Description | +================+========+==========================+ | body | string | Standards organization, | | | | for example IETF or W3C. | +----------------+--------+--------------------------+ | working_groups | array | Associated working | | | | groups. | +----------------+--------+--------------------------+ | contributions | array | Contributions made. | +----------------+--------+--------------------------+ | contacts | array | Standards participation | | | | contacts. | +----------------+--------+--------------------------+ Table 16 4.8.1. contributions +=======+==========================================+ | Field | Description | +=======+==========================================+ | type | Contribution type, such as draft-author, | | | editor, implementation, or review. | +-------+------------------------------------------+ | title | Contribution title. | +-------+------------------------------------------+ | url | Reference URL. | +-------+------------------------------------------+ Table 17 4.9. relationships The relationships member allows an organization to declare structured relationships to other organizations and projects. This section supports ecosystem mapping, governance transparency, and machine- readable attribution of stewardship and contribution. Each relationship object has the following members. Dulaunoy Expires 21 September 2026 [Page 12] Internet-Draft Open Contributions Descriptor March 2026 +=============+========+=============+==============================+ | Field | Type | Requirement | Description | +=============+========+=============+==============================+ | type | string | REQUIRED | Relationship type | | | | | describing the role | | | | | or interaction. | +-------------+--------+-------------+------------------------------+ | target | object | REQUIRED | The related | | | | | organization or | | | | | project. | +-------------+--------+-------------+------------------------------+ | since | string | OPTIONAL | RFC 3339 date or | | | | | date-time when the | | | | | relationship started. | +-------------+--------+-------------+------------------------------+ | until | string | OPTIONAL | RFC 3339 date or | | | | | date-time when the | | | | | relationship ended. | +-------------+--------+-------------+------------------------------+ | description | string | OPTIONAL | Human-readable | | | | | explanation. | +-------------+--------+-------------+------------------------------+ | evidence | array | OPTIONAL | URLs or structured | | | | | objects supporting | | | | | the claim. | +-------------+--------+-------------+------------------------------+ | contacts | array | OPTIONAL | Contacts for this | | | | | relationship. | +-------------+--------+-------------+------------------------------+ | tags | array | OPTIONAL | Keywords for | | | | | classification and | | | | | search. | +-------------+--------+-------------+------------------------------+ | extensions | object | OPTIONAL | Relationship-specific | | | | | extensions. | +-------------+--------+-------------+------------------------------+ Table 18 Recommended values for type are: * maintains; * co_maintains; * supports; * contributes_to; * sponsors; * upstream_of; * downstream_of; Dulaunoy Expires 21 September 2026 [Page 13] Internet-Draft Open Contributions Descriptor March 2026 * member_of; and * affiliated_with. 4.9.1. target The target object identifies the related entity. +=========+========+=============+=================================+ | Field | Type | Requirement | Description | +=========+========+=============+=================================+ | kind | string | REQUIRED | Either organization or project. | +---------+--------+-------------+---------------------------------+ | name | string | REQUIRED | Display name of the target. | +---------+--------+-------------+---------------------------------+ | domain | string | OPTIONAL | Domain of the target | | | | | organization. | +---------+--------+-------------+---------------------------------+ | ocd | string | OPTIONAL | URL to the target's OCD | | | | | document. | +---------+--------+-------------+---------------------------------+ | url | string | OPTIONAL | Canonical human-readable URL | | | | | for the target. | +---------+--------+-------------+---------------------------------+ | project | object | OPTIONAL | Project identifier; required | | | | | when kind is project. | +---------+--------+-------------+---------------------------------+ Table 19 4.9.2. target.project +================+========+=============+===========================+ | Field | Type | Requirement | Description | +================+========+=============+===========================+ | repository_url | string | OPTIONAL | Canonical | | | | | repository URL. | +----------------+--------+-------------+---------------------------+ | homepage | string | OPTIONAL | Project homepage or | | | | | project page URL. | +----------------+--------+-------------+---------------------------+ | license | string | OPTIONAL | SPDX license | | | | | identifier. | +----------------+--------+-------------+---------------------------+ Table 20 Dulaunoy Expires 21 September 2026 [Page 14] Internet-Draft Open Contributions Descriptor March 2026 4.9.3. evidence The evidence member is an array containing either bare URLs or structured objects. +=======+========+=================================+ | Field | Type | Description | +=======+========+=================================+ | url | string | Evidence URL. | +-------+--------+---------------------------------+ | label | string | Short label for humans. | +-------+--------+---------------------------------+ | type | string | Evidence type, such as policy, | | | | announcement, or repo-metadata. | +-------+--------+---------------------------------+ Table 21 4.10. extensions The extensions object allows custom additions without breaking compatibility. Consumers MUST ignore unknown extension members. Extension names SHOULD be logically namespaced to reduce collisions. 5. Validation and Processing Rules An OCD processor: * MUST parse the document as JSON; * MUST treat spec_version, generated_at, and organization as required top-level members; * MUST ignore unknown members; * SHOULD validate date-time values against RFC 3339; * SHOULD validate license identifiers against SPDX when such validation is available; and * SHOULD preserve unrecognized extension content when transforming or proxying an OCD document. 6. Example The following example illustrates an OCD document. { "spec_version": "1.0", "generated_at": "2026-02-23T09:00:00Z", "organization": { "name": "Example Organization", "domain": "example.org", Dulaunoy Expires 21 September 2026 [Page 15] Internet-Draft Open Contributions Descriptor March 2026 "description": "An organization contributing to open source software, open data, and open standards.", "country": "LU", "links": { "homepage": "https://example.org", "opensource_page": "https://example.org/open", "github_org": "https://github.com/example-org" } }, "contacts": { "opensource": { "email": "opensource@example.org" }, "security": { "url": "https://example.org/.well-known/security.txt" }, "community": { "email": "community@example.org" } }, "policies": { "code_of_conduct": "https://example.org/code-of-conduct", "contributing": "https://example.org/contributing", "vulnerability_disclosure": "https://example.org/security", "license_policy": "https://example.org/open/licensing" }, "projects": [ { "name": "Vulnerability Lookup", "description": "An open platform to correlate and explore vulnerability intelligence.", "status": "active", "repository": { "url": "https://github.com/example-org/vulnerability-lookup", "license": "AGPL-3.0", "type": "git", "clone": "https://github.com/example-org/vulnerability-lookup.git", "tests": "https://ci.example.org/job/vulnerability-lookup/" }, "links": { "project_page": "https://www.vulnerability-lookup.org", "homepage": "https://example.org/projects/vulnerability-lookup", "documentation": "https://docs.vulnerability-lookup.org", "demo": "https://vulnerability.example.org", "releases": "https://github.com/example-org/vulnerability-lookup/releases", "community": "https://matrix.to/#/#vulnlookup:matrix.org", "metadata": { "openapi": "https://vulnerability.example.org/openapi.json" } }, Dulaunoy Expires 21 September 2026 [Page 16] Internet-Draft Open Contributions Descriptor March 2026 "participate": { "issues": "https://github.com/example-org/vulnerability-lookup/issues", "good_first_issues": "https://github.com/example-org/vulnerability-lookup/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22", "chat": "https://matrix.to/#/#vulnlookup:matrix.org", "docs": "https://docs.vulnerability-lookup.org" }, "governance": { "maintainers": [ "maintainers@example.org" ], "codeowners": "https://github.com/example-org/vulnerability-lookup/blob/main/CODEOWNERS" }, "release": { "changelog": "https://github.com/example-org/vulnerability-lookup/releases", "security_policy": "https://github.com/example-org/vulnerability-lookup/security/policy" }, "tags": [ "security", "vulnerability-management", "open-source" ] } ], "open_data": [ { "name": "Daily Threat Indicators", "description": "Open dataset of curated threat intelligence indicators.", "license": "CC-BY-4.0", "publisher": "Example Organization", "urls": { "landing_page": "https://example.org/data/threat-indicators", "download": "https://example.org/data/threat-indicators/latest.json", "api": "https://example.org/api/threat-indicators" }, "formats": [ "json", "csv" ], "update_frequency": "daily", "schema": "https://example.org/data/threat-indicators/schema.json", "tags": [ "open-data", "cybersecurity", "threat-intelligence" ] } ], "open_standards": [ Dulaunoy Expires 21 September 2026 [Page 17] Internet-Draft Open Contributions Descriptor March 2026 { "body": "IETF", "working_groups": [ "openpgp", "sidrops" ], "contributions": [ { "type": "draft-author", "title": "Example Secure Exchange Format", "url": "https://datatracker.ietf.org/doc/draft-example-secure-exchange/" }, { "type": "implementation", "title": "Reference implementation", "url": "https://github.com/example-org/secure-exchange" } ], "contacts": [ { "email": "standards@example.org" } ] } ], "relationships": [ { "type": "co_maintains", "description": "We co-maintain the upstream project with the foundation and another OSPO.", "since": "2023-05-01", "target": { "kind": "project", "name": "Upstream Tooling", "url": "https://upstream.example.net/tooling", "ocd": "https://upstream.example.net/.well-known/open-contributions.json", "project": { "repository_url": "https://github.com/upstream/tooling", "homepage": "https://upstream.example.net/tooling", "license": "MPL-2.0" } }, "evidence": [ "https://github.com/upstream/tooling/blob/main/MAINTAINERS.md", "https://github.com/upstream/tooling/graphs/contributors" ], "contacts": [ { "email": "opensource@example.org" Dulaunoy Expires 21 September 2026 [Page 18] Internet-Draft Open Contributions Descriptor March 2026 } ], "tags": [ "governance", "maintenance" ] } ], "extensions": {} } 7. Security Considerations OCD documents are descriptive metadata and do not directly grant privileges or convey authority. However, consumers might use OCD data to drive discovery, ranking, trust decisions, or automation. A malicious or compromised publisher could therefore provide inaccurate metadata. Consumers SHOULD treat OCD content as unverified assertions unless backed by independently validated evidence. Consumers that act automatically on OCD content SHOULD apply origin authentication, transport security, and local policy before making trust or security decisions. Publishing contact information can increase discoverability but can also increase unwanted scraping, profiling, or spam. Publishers SHOULD consider the privacy impact of any personal data included in OCD documents. 8. IANA Considerations IANA is requested to register the well-known URI suffix open- contributions.json in the "Well-Known URIs" registry established by RFC 8615. The registry entry should include the following information: * URI suffix: open-contributions.json * Change controller: OSSBASE (https://ossbase.org/) * Specification document(s): This document This well-known resource is used to discover a JSON document describing an organization's open contributions profile. Dulaunoy Expires 21 September 2026 [Page 19] Internet-Draft Open Contributions Descriptor March 2026 A registration request for this well-known URI suffix has been filed and is tracked at: https://github.com/protocol-registries/well-known- uris/issues/78 (https://github.com/protocol-registries/well-known- uris/issues/78) 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, . [RFC8615] Nottingham, M., "Well-Known Uniform Resource Identifiers (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019, . Appendix A. References Author's Address Alexandre Dulaunoy Computer Incident Response Center Luxembourg 122, rue Adolphe Fischer L-L-1521 Luxembourg Luxembourg Phone: +352 247 88444 Email: alexandre.dulaunoy@circl.lu Dulaunoy Expires 21 September 2026 [Page 20]