on spec minimalism - Re: Signature in Wrong Position from Henry Story on 2016-01-18 (public-webpayments@w3.org from January 2016)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 18 Jan 2016 00:19:26 +0000
To: Carvalho Melvin <melvincarvalho@gmail.com>
Cc: Web Payments <public-webpayments@w3.org>
Message-Id: <17C4C3F9-9CDD-4693-A34E-499264549BC1@bblfish.net>
A bit off topic, but could be useful

> On 17 Jan 2016, at 23:44, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 
> On 18 January 2016 at 00:30, Henry Story <henry.story@bblfish.net <mailto:henry.story@bblfish.net>> wrote:
> 
>> On 17 Jan 2016, at 22:54, Melvin Carvalho <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote:
>> 
>> [snip]
>> Not really, using bnodes here is a serious anti pattern.  This is axiom 0 of the web.  Anything of significance should be given a URI.  This mistake was one reason signatures have been developed independently.
> 
> That's what some folks say. Many who have been working in the LinkedData space for a very long time don't agree.
> BNodes are part of RDF, available in JSON-LD, Turtle, Trig, RDF/XML, etc... all of which are used in the LinkedData space,
> and there are many use cases where they are very useful.
> But yes, this is completely off topic.
> 
> Axiom 0a: Universality 2
> 
> Any resource of significance should be given a URI.
> 
> https://www.w3.org/DesignIssues/Axioms.html <https://www.w3.org/DesignIssues/Axioms.html>
Perhaps if you look around a bit you'll notice that they are everywhere. 
For example the signature in the LD-Signatures spec is a blank node
https://web-payments.org/specs/source/ld-signatures/ <https://web-payments.org/specs/source/ld-signatures/>

{
  "@context": "https://w3id.org/identity/v1",
  "title": "Hello World!",
  "signature": { // <--- here this is a blank node!!!
    "type": "LinkedDataSignature2015",
    "creator": "http://example.com/i/pat/keys/5",
    "created": "2011-09-23T20:21:34Z",
    "domain": "example.org",
    "nonce": "2bbgh3dgjg2302d-d2b3gi423d42",
    "signatureValue": "OGQzNGVkMzVm4NTIyZTkZDYMmMzQzNmExMgoYzI43Q3ODIyOWM32NjI="
  }
}

>  
> 3. WebID does not disallow URLs for keys: you are free to use them in your WebID Profile documents.
> 
> In theory yes.  But in practice people dont do this.  Yours doesnt for example.

Has that hampered you in any way?

>  
> 4. I have no problem with URLs for Keys: witness my implementation of HTTP-Signature on the client and the server
>     https://github.com/solid/solid-spec/issues/52 <https://github.com/solid/solid-spec/issues/52> for SoLiD.
>     Perhaps you'd care to support that part of SoLiD since I am actually supporting a URL for a key there?
>     WebID-RSA which is currently listed in the spec there does not.
> 
> This is great!  But it took 5 years to get there.  In the mean time a whole spec was created and implemented.

The thing about specs if they are well written is that they should be quite minimal and 
orthogonal to the others. Small is beautiful. 

1. LD-Signatures is about signing graphs. 
   https://web-payments.org/specs/source/ld-signatures/ <https://web-payments.org/specs/source/ld-signatures/>

2. WebID is about describing an Agent see
  https://www.w3.org/2005/Incubator/webid/spec/identity/ <https://www.w3.org/2005/Incubator/webid/spec/identity/>

3. WebID TLS is about a verification procedure to authenticate an agent using TLS.
https://www.w3.org/2005/Incubator/webid/spec/tls/ <https://www.w3.org/2005/Incubator/webid/spec/tls/>

None of  the above exclude each other or even encroach on each others turf. They are completely
different specs. 

As a proof I have implemented WebID+TLS and Web-Signature (using a 
WebKey) authentication in the same server. The code is here:

https://github.com/read-write-web/rww-play/blob/bfa76510b44cdcc7acb003ac004809d89f4632f0/app/rww/ldp/auth/WACAuthZ.scala#L148 <https://github.com/read-write-web/rww-play/blob/bfa76510b44cdcc7acb003ac004809d89f4632f0/app/rww/ldp/auth/WACAuthZ.scala#L148>

You'll see that the server is open to folks authentication with a WebIDPrincipal or a WebKeyPrincipal.
The WebID and the WebKey can be in the same document or not. And one could allow any number of 
other types of authentication protocols such as OpenID, Mozilla Persona, etc....

The WebID spec page has a whole section on Identity Interoparability  that I put together a long time ago
https://www.w3.org/2005/Incubator/webid/spec/ <https://www.w3.org/2005/Incubator/webid/spec/>

I have not yet used LD-Signature, but I like it. I was just starting this thread because of a concern I had.

In any case none of the above points ( 1. 2 and 3) clash! They are orthogonal.

>  
> 5. This has no bearing on this thread, so perhaps we can continue the discussion elsewhere?
> 
> Apart from the historical aspect, no, it's relevant to why your work on PKI and this groups work on PKI diverged several years ago,

But they did not diverge, since they are not even addressing the same topic.
Signing a graph is not the same as describing a person or verifying something with TLS!
This question is about graph signature.

> and that bringing up the concerns you raised, could have been much easier dealt with a few years ago.  I think we agree, that the current spec is not in error, you raise an interesting way of doing things tho.  It just may be a little late now for people to change specs / implementations.  

You seem to be very susceptible to find clashes where there are none. 
Perhaps if you let the discussion evolve a bit, then you'd find out that what I am suggestion may not
be incompatible with what is currently done.

> 
> Agreed feel free to change title/list if you'd like to discuss further.

I'd rather we get back to the subject of the thread.
Received on Monday, 18 January 2016 00:19:59 UTC