On 20 Mar 2009, at 15:34, Ivan Herman wrote: > Bijan Parsia wrote: >> >> From a security perspective, it seems that Jena puts up a warning at >> least the first time you use GRDDL, but it's unclear if it does it >> every >> time it downloads a new transform. I don't know if it caches, so the >> effect on W3C traffic is still unknown. I don't know anything momre >> about signing or checksumming the XSLT, so I think it still is a >> fairly >> large security risk. > > I am not sure it is a perfect answer but I put extra information > into my > FOAF file: [snip] > Can't we put something similar into the RDF file that refers to the > XSLT > transform? Ie, store the signed version of it side by side and refer > to > it through some vocabulary. I guess. Shouldn't we take the opportunity, however, to improve GRDDL practice? I mean, again, the pain of current implementations breaking on our GRDDL is superduperlooper low, afaict. And, arguably, they should be fixed. I would suggest that we set something up that denies non-cachers access, etc. and sign directly so that implementations check that. > I use PGP here, we can also use some form of XML Signature and store > that. > > It is not perfect. But if an implementation wants to check the > integrity > of the transformation, it can. Optional security isn't :) Cheers, Bijan.Received on Friday, 20 March 2009 18:39:03 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 March 2009 18:39:06 GMT