When making an activitypub request from either a lemmy or mastodon server (I haven't tried others)

(eg curl https://programming.dev/c/activitypub -A 'WhizzleGig/0.1;' -H 'Accept: application/activity+json'),

for their context they include...

"@context": [                                                                                                                                                                                                                                                                                                                                                                                                                          
    "https://www.w3.org/ns/activitystreams",                                                                                                                                                                                                                                                                                                                                                                                             
    "https://w3id.org/security/v1",                                                                                                                                                                                                                                                                                                                                                                                                      
    {

(note: https://w3id.org/security/v1), and for the security portion of the record, they return something like ...

"publicKey": {                                                                                                                                                                                                    
    "id": "https://programming.dev/c/activitypub#main-key",                                                                                                                                                         
    "owner": "https://programming.dev/c/activitypub",                                                                                                                                                               
    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nBlahBlahBlah\n-----END PUBLIC KEY-----\n"                                                                                                                                                           
  },

(note how publicKeyPem and owner are both nested inside publicKey).

However, upon reviewing https://w3id.org/security/v1 and https://w3id.org/security, my interpretation is that those should not be nested inside publicKey but should be at the same level. Am I misreading something?