[Fwd: Re: [foaf-protocols] Storing PKCS#12 inside FOAF profile for FOAF+SSL] from Nathan on 2010-02-22 (public-lod@w3.org from February 2010)

From: Nathan <nathan@webr3.org>
Date: Mon, 22 Feb 2010 14:34:35 +0000
To: Linked Data community <public-lod@w3.org>
Message-ID: <4B8295FB.1070408@webr3.org>

Bruno Harbulot wrote:
> 
> 
> Story Henry wrote:
>> On 22 Feb 2010, at 15:00, Nathan wrote:
>>
>>>> Yes, check out the foaf+ssl  protocol. It's very easy to create
>>>> public key pairs, one for each browser, and it really makes sense to
>>>> publish the public key there, using the cert and rsa ontologies
>>>>
>>>>   http://esw.w3.org/topic/foaf+ssl
>>>>
>>> So I can just chain up multiple public key pairs in my FOAF profile ya?
>>>
>>> <?xml version="1.0" encoding="ISO-8859-1"?>
>>> <rdf:RDF
>>>     xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
>>>     xmlns:cert="http://www.w3.org/ns/auth/cert#"
>>>     xmlns:rsa="http://www.w3.org/ns/auth/rsa#">
>>> <rsa:RSAPublicKey>
>>>   .. key one
>>> </rsa:RSAPublicKey>
>>> <rsa:RSAPublicKey>
>>>   .. key two
>>> </rsa:RSAPublicKey>
>>>  .. and so on
>>> </rdf:RDF>
>>>
>>> correct?
>>
>> yes, you just need to tie them to your WebId.
>>
>> See my foaf, where I have two:
>>
>>  http://bblfish.net/people/henry/card
> 
> Perhaps there should be something to indicate one of the keys is more
> "permanent"? Creating and adding keys on the fly could be a problem if
> you start to discard them.
> Let's imagine that someone sends you an encrypted file (S/MIME, PGP,
> ...) using the public key for which it expects you to have the private
> key (independently of what FOAF+SSL does). If that was just a key you
> added temporarily and then discarded, you wouldn't be able to decipher
> that file.
> 

Exactly, this is the problem I'm encountering at the minute:

consider the following triple in an RDF document:

<http://webr3.org/some-graph.rdf> assertedBy <http://webr3.org/nathan#me> .

now, if I was to download this document; openssl sign it using my
private key; hex encode the signature; then add a triple like the
following to my FOAF profile:

<http://webr3.org/some-graph.rdf> assertionSignature "HEX_SIGNATURE" .

then an agent could:

1: download <http://webr3.org/some-graph.rdf>
2: see the assertedBy triple and retrieve <http://webr3.org/nathan#me>
(which would return my foaf profile) and it'd include my public key pair
and the assertionSignature for <http://webr3.org/some-graph.rdf>
3: openssl verify the document using my public key and signature.

All works great in theory - however the second I add in multiple cert's
the process get's a bit heavier & more over, as soon a certificate
expires and is removed; the data is no longer valid / verifiable.

Shame, as this trust could apply to anything; I could sign you're
personal URI in this manner and assert real trust other than infering it
through foaf:knows; further I could sign any document on the web - and
if we all did that we'd have a web of trust.

will get there eventually!

Regards,

Nathan

Received on Monday, 22 February 2010 14:35:13 UTC