W3C home > Mailing lists > Public > semantic-web@w3.org > March 2008

Re: [foaf-dev] Re: privacy and open data

From: Story Henry <henry.story@bblfish.net>
Date: Tue, 25 Mar 2008 18:16:04 +0100
Cc: foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>
Message-Id: <ADE5C5E5-2F4E-4E1C-B9F2-BDADCE38E3B7@bblfish.net>
To: Peter Williams <pwilliams@rapattoni.com>

On 25 Mar 2008, at 17:44, Peter Williams wrote:
> Henry Story wrote:
> > The server would then just need to get the foaf file, find the pgp
> > public key, to verify that the reques does indeed come from the  
> owner of the foaf file."
> Loving to solve trust problems using public key control systems (my  
> own discipline), I'm supportive.
> However, the use of "just" is a little dis-ingenuous, above. 15  
> years of the PGP model working in other information flow sphere's  
> did not reduce the key distribution issue set down to a simple  
> "just". Nothing in the PGP model of web of trust has shown itself  
> better than other models at scaling a wot, todate. A fair amount of  
> highly-doctrinal arguments are bandied around, tho.
Is the key distribution issue still a problem now? With linked data I  
have my foaf file point to the URL of the pgp key.
So my foaf file contains the following triples:

:me  is wot:identity of [ a wot:PubKey;
                          wot:pubkeyAddress <http://bblfish.net/people/henry/henry.pubkey.asc 
                          wot:hex_id "4CAE10D7";
                          wot:length 1024 ] .

so if someone trusts the foaf file has not been corrupted - not unlike  
trusting that the OpenId Resource has not been corrupted - then the link
to the PGP key deals with the problem of finding the key, right?

I don't think we need Web Of Trust at this level. Here I am just  
trying to define a very simple method of authentication.

1. the client ( Beatnik perhaps ) sends an RDFAuth header in its HTTP  
Header request with an encrypted string and a pointer to my foaf file
2. the server then
   a. find the foaf
   b. find the public PGP key (other encryption mechanisms could work)
   c. checks that the encrypted string I sent it could only be  
generated by someone who had the private key of the public key
   => it then knowns that the client making the request is indeed the  
owner of the foaf file.

This is a lot simpler than OpenId to put in place, once one gets over  
the restrictions OpenId imposed itself by limiting itself to legacy  
web browsers.

> What's interesting about the particular wot model referred to in  
> foaf/semweb is the notion that one relies on the public key only  
> once its endorsed by a sufficient "weighting" of those members on  
> one or your own particular friend lists.
I was not suggesting this be done here.
What I describe in


could be used as a further way of validating the authenticity of the  
foaf file.

Here all the server needs to know is your name. Ie.


in my case. The server could then give you access rights simply based  
on this, by checking that your name (URI) is in a list of accepted URIs.

The list itself could be generated using a web of trust mechanism, but  
say crawling foaf files the way the DIG group did it.

> This is a variant of the aborted IETF efforts of the SKMI WG.  
> Beware, that fully generalized metric-based reliance models were  
> properly and carefully patented in the mid 90s, folks, with both the  
> core claims and the continuances set to run for a good amount of  
> time yet. The prior art disclosed DARPA research reports of the  
> early 1990s that provided for the restricted use of metrics in a  
> specific (TTP) model of key distribution, for the selection of  
> alternative routing graphs through a key-certification space  
> starting at well-known public (vs restricted access personal) trust  
> points.
Thanks for the warning.

> Remember to apply your core research skills, re the literature (and  
> G8 patent databases).
Well I try to think of obvious things. Those I am told can't be  
patented :-)


> ______________________

> _________________________
> foaf-dev mailing list
> foaf-dev@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-dev

Received on Tuesday, 25 March 2008 17:17:22 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:49:40 UTC