Re: X.509 and PGP

On Mar 18, 2004, at 11:43, ext Chris Bizer wrote:
>> I much prefer the swp:certificate property rather than forcing
>> the URI denoting the authority to resolve to the certificate.
>>
>
> Absolutely. I think it should be general practice that the URI  
> identifing an
> authority refers to a graph with a self description of the authority  
> (name,
> address, affiliation, roles in different application domains,  
> certificates
> .... using the vocabularies of choice). Another solution would be using
> rdf:seeAlso in a graph to link to this self description.
>
>
>
> G2 (G1 swp:assertedBy ex:chris.
>
>        ex:chris rdf:seeAlso <http:www.bizer.de/selfdescription.trix>)
>

The practical difficulty with this is that it's not clear that
folks will indicate the certificate of the authority in any
consistent manner via an rdf:seeAlso reference.

Better to have it explicit, e.g.

:G2 (:G1 swp:assertedBy ex:chris .
      ex:chris swp:certificate <http://...> )

>
>
> ... "Distrust everything a vendor says about its competitor."

;-)

>
>
>
> I think we should derive our vocabulary for expression signatures and
> certificates from the W3C "XML Encryption Syntax and Processing" and
> "XML-Signature Syntax and Processing" specifications
> http://www.w3c.org/Signature/  and the W3C key management work
> http://www.w3c.org/2001/XKMS/, rather than inventing our own  
> vocabulary. A
> guy called Garret Wilson started this, but didn't get too far. See:
>
> http://lists.w3.org/Archives/Public/www-rdf-interest/2003Dec/att-0140/ 
> crypto
> -draft-20031224.html
>
>
>
> If we want to go this way, I could derive the necessary vocabulary  
> from the
> specs next week.

This sounds like a reasonable way to go, but I think for this particular
paper, all we need to define is swp:signature and swp:Signature and
simply cover their essential function, leaving it to future work
to define the rest.

I.e., go ahead and put together a proposal vocabulary, which may in
any case be useful in clarifying things for the present paper, but
let's keep the two activities distinct. OK?

>>> 5) define swp:signedAndAssertedBy as a subproperty of (3) and (4)
>>
>> Would we not rather be able to infer
>>
>>    ?graph swp:signedBy ?authority .
>>
>> from
>>
>>    ?graph swp:authority ?authority .
>>    ?authority rdf:type swp:PGPCertifiedAuthority .
>>
>> ???
>>
>> I.e., if someone is a PGP CA they they are always the CA
>> for graphs which they verify/sign.
>>
>> This allows us to avoid the extra property. If the graph is
>> signed with an X509 signature, then you have to specify the
>> CA explicitly, otherwise it's the same as the value of
>> either swp:authority or swp:assertedBy.
>>
>> Yes?
>>
>
> No. I think a link to the CA is encoded in the X509 certificate. Thus  
> it is
> enough that an authority signing a graph has a certificate property in  
> its
> self description. An agent who wants to verify the signature can  
> decode the
> certification chain from the certificates. Or we should have a look how
> certification chains are handled in the "XML Key Management  
> Specification"
> and use their vocabulary.

OK, so either way, all we need is the swp:authority and swp:signature,
and then via the URI of the authority we obtain a certificate for the
authority, where the CA of that certificate is either the authority
itself (PGP) or is specified in the certificate (X509).

Right?

Patrick

--

Patrick Stickler
Nokia, Finland
patrick.stickler@nokia.com

Received on Thursday, 18 March 2004 06:25:47 UTC