Re: what is on Trust and Proof levels? from Henry Story on 2010-11-01 (semantic-web@w3.org from November 2010)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 1 Nov 2010 14:55:24 +0100
To: nathan@webr3.org
Cc: Ivan Herman <ivan@w3.org>, Juriy Katkov <katkov.juriy@gmail.com>, Semantic Web <semantic-web@w3.org>
Message-Id: <8CC2A98E-FB11-4A25-9E2F-EC1A198B2A7B@bblfish.net>

On 1 Nov 2010, at 14:25, Nathan wrote:

> Henry Story wrote:
>> On 31 Oct 2010, at 09:23, Ivan Herman wrote:
>>> On Oct 29, 2010, at 01:58 , Juriy Katkov wrote:
>>> 
>>>> Hello everyone! I've studied semantic web standard and technologies for some time but still don't understand: what kind of tecnologies are on Proof and Trust levels of the Semantic Web layer cake? Have these standards already built or not?
>>>> 
>>> The short answer is: no.
>>> 
>>> There is R&D on trust, security issues, signatures, etc, but none that I know of are of a maturity level to be defined as a standard. (Yet?)
>> Well I think WebID is really past that stage now. It's been tested on more platforms that one
>> can think of and list, people have written thesis on it, implementations have been made, ...
>>   http://esw.w3.org/Foaf%2Bssl
>> It's mature, and ready to be cooked by a willing standards organisation. If you want to support it and are member of the W3C please add your name to the wiki here: http://esw.w3.org/Foaf%2Bssl/WebIdWorkingGroup
>> That provides a foundation stone for the rest. The rest is still a lot of work.
> 
> There's still a critical link missing, there's no way of proving in RDF

You cannot make proofs in RDF. You make statements.

> that a person really holds the private key for which which they say they hold the public key.

I am surprised that you still have this issue. It sounds like you still have not understood foaf+ssl
to me. Are you saying that all our deployments are broken at present? Or is there something I am missing?

The proof of ownership of the private key is not in the foaf profile. The proof that the authenticating party (romeo) has the private key is in the SSL connection the his agent makes with the Relying Party (Juliet's server).

(I really go into this at length here
  http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083 )

> If however one was to do something like sign their URI with their private key and pop the signature in the graph, then you could establish that they do or did hold that key simply by considering the RDF.

So what are the attack vectors that our current implementations are at risk of, since they do not
implement this. If you are adding a new feature, then there must be something that it is fixing, right?

> A few of us had a long conversation on #swig this morning, which starts off right at the above point, do see:
>  http://chatlogs.planetrdf.com/swig/2010-11-01.html
> 
> To save repeating it all,
> 
> Best,
> 
> Nathan

Social Web Architect
http://bblfish.net/

Received on Monday, 1 November 2010 13:56:04 UTC