W3C home > Mailing lists > Public > semantic-web@w3.org > March 2008

Re: [foaf-dev] Re: privacy and open data

From: Story Henry <henry.story@bblfish.net>
Date: Tue, 25 Mar 2008 18:16:04 +0100
Cc: foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>
Message-Id: <ADE5C5E5-2F4E-4E1C-B9F2-BDADCE38E3B7@bblfish.net>
To: Peter Williams <pwilliams@rapattoni.com>

On 25 Mar 2008, at 17:44, Peter Williams wrote:
>
> Henry Story wrote:
>
> > The server would then just need to get the foaf file, find the pgp
> > public key, to verify that the reques does indeed come from the  
> owner of the foaf file."
>
> Loving to solve trust problems using public key control systems (my  
> own discipline), I'm supportive.
>
:-)
> However, the use of "just" is a little dis-ingenuous, above. 15  
> years of the PGP model working in other information flow sphere's  
> did not reduce the key distribution issue set down to a simple  
> "just". Nothing in the PGP model of web of trust has shown itself  
> better than other models at scaling a wot, todate. A fair amount of  
> highly-doctrinal arguments are bandied around, tho.
>
Is the key distribution issue still a problem now? With linked data I  
have my foaf file point to the URL of the pgp key.
So my foaf file contains the following triples:

:me  is wot:identity of [ a wot:PubKey;
                          wot:pubkeyAddress <http://bblfish.net/people/henry/henry.pubkey.asc 
 >;
                          wot:fingerprint  
"0DF560B5DADF6D348CC99EA0FD76F60D4CAE10D7";
                          wot:hex_id "4CAE10D7";
                          wot:length 1024 ] .

so if someone trusts the foaf file has not been corrupted - not unlike  
trusting that the OpenId Resource has not been corrupted - then the link
to the PGP key deals with the problem of finding the key, right?

I don't think we need Web Of Trust at this level. Here I am just  
trying to define a very simple method of authentication.

1. the client ( Beatnik perhaps ) sends an RDFAuth header in its HTTP  
Header request with an encrypted string and a pointer to my foaf file
2. the server then
   a. find the foaf
   b. find the public PGP key (other encryption mechanisms could work)
   c. checks that the encrypted string I sent it could only be  
generated by someone who had the private key of the public key
   => it then knowns that the client making the request is indeed the  
owner of the foaf file.

This is a lot simpler than OpenId to put in place, once one gets over  
the restrictions OpenId imposed itself by limiting itself to legacy  
web browsers.

> What's interesting about the particular wot model referred to in  
> foaf/semweb is the notion that one relies on the public key only  
> once its endorsed by a sufficient "weighting" of those members on  
> one or your own particular friend lists.
>
I was not suggesting this be done here.
What I describe in

http://blogs.sun.com/bblfish/entry/cryptographic_web_of_trust

could be used as a further way of validating the authenticity of the  
foaf file.

Here all the server needs to know is your name. Ie.

<http://bblfish.net/people/henry/card#me>

in my case. The server could then give you access rights simply based  
on this, by checking that your name (URI) is in a list of accepted URIs.

The list itself could be generated using a web of trust mechanism, but  
say crawling foaf files the way the DIG group did it.
http://dig.csail.mit.edu/breadcrumbs/node/206

> This is a variant of the aborted IETF efforts of the SKMI WG.  
> Beware, that fully generalized metric-based reliance models were  
> properly and carefully patented in the mid 90s, folks, with both the  
> core claims and the continuances set to run for a good amount of  
> time yet. The prior art disclosed DARPA research reports of the  
> early 1990s that provided for the restricted use of metrics in a  
> specific (TTP) model of key distribution, for the selection of  
> alternative routing graphs through a key-certification space  
> starting at well-known public (vs restricted access personal) trust  
> points.
>
Thanks for the warning.

> Remember to apply your core research skills, re the literature (and  
> G8 patent databases).
>
Well I try to think of obvious things. Those I am told can't be  
patented :-)

Henry


> ______________________



> _________________________
> foaf-dev mailing list
> foaf-dev@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-dev



Received on Tuesday, 25 March 2008 17:17:22 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 21:45:21 GMT