FOAF and trust and certificates from Graham Klyne on 2002-10-16 (public-esw@w3.org from October 2002)

From: Graham Klyne <GK@NineByNine.org>
Date: Wed, 16 Oct 2002 19:01:34 +0100
To: SWAD-E public discussion <public-esw@w3.org>
Message-Id: <5.1.0.14.2.20021016182559.03a2b8b0@127.0.0.1>

Maybe this has already been considered ... it's obvious enough, but the 
thought has only just struck me.

It occurs to me that the FOAF experiment of Dan Brickley and friends (and 
FOAFs) might have some relevance to some aspects of trust modelling.  I'm 
scratching some words about public key certificates and CA chaining, and 
got to this point:
[[
           <t>So X.509 employs the idea of certificate chains, where
             each CA's public key is itself signed by a "higher" CA,
             and so on until a trusted "root" CA is encountered.
             Thus, a chain of certificates can link the holder of
             some key and a user of the corresponding public key
             to a common point of trust.  Set against this, the
             longer the certificate chain the more scope there is
             for compromise of any one of the CA signing keys, which
             would effectively nullify the basis for trust in the
             end user keys thus protected.</t>
]]

This describes the X.509 hierarchical CA chaining model.  PGP, on the other 
hand, employs a more grassroots based web of trust, in which any keyholder 
can express degrees of trust in another.  In his book "Applied 
Crytography", Bruce Schneier puts it like this:
[[
There are no key certification authorities;   PGP instead supports a "web 
of trust".  Every user generates and distributes his own public key.  Users 
sign each other's public keys, creating an interconnected community of PGP 
users.
]]

All of which has strong resonances with FOAF.  I'm thinking in particular that:
(a) FOAF might be used to model PGP webs-of-trust.
(b) FOAF might be able to supply additional information about 
relationships, which could be used to guide trust decisions in a PGP 
web-of-trust.
(c) with a FOAF model and trust strategies modelled as rules on RDF data, 
some PGP trust decisions might be automated that otherwise are made manually.

Hmmm... I must pay more attention to the next IETF key-signing party.

#g


-------------------
Graham Klyne
<GK@NineByNine.org>

Received on Wednesday, 16 October 2002 14:55:43 UTC