Thoughts on the LDS WG chartering discussion from Phil Archer on 2021-06-09 (semantic-web@w3.org from June 2021)

From: Phil Archer <phil.archer@gs1.org>
Date: Wed, 9 Jun 2021 10:48:53 +0000
To: semantic-web <semantic-web@w3.org>, Markus Sabadello <markus@danubetech.com>, Ivan Herman <ivan@w3.org>
Message-ID: <PH0PR08MB722583E29A1A0479D610B615B7369@PH0PR08MB7225.namprd08.prod.outlook.com>

Hi all,

The discussion around the draft charter for the Linked Data Signatures WG has been filling our inboxes for several weeks now. There have been a succession of challenges from individuals who have long histories in the SemWeb/RDF/LD world, often recalling earlier discussions from the earliest days of the base standards development (can we cram in yet another reference to the Tim, Jim and Ora SciAm article here?).

The challenges have been answered diligently and patiently; notably by Manu. Does he have vested interest here? Of course he does. His company has real world products in use that depend on the draft technologies and it's good for Digital Bazaar if those technologies can be put through the W3C Rec Track process, thus giving his products extra credibility. Some version of that is why any commercial company spends any time here at all. EricP has also been actively responding. His domain, healthcare, is quite distinct from the areas where Manu makes his living. At GS1 we see real value in this work because it offers a route to improved trust in data around products and their supply chains. It's an aid, not a panacea, in tackling counterfeit goods and false claims.

As a result of the challenges on this mailing list and on Twitter, changes have been made to the charter. In my head, the issues are around:

1. Why is there any need to sign a graph and not just the bytes? See the explainer document at https://w3c.github.io/lds-wg-charter/explainer.html#noProblem for the answer to this.

2. What if a JSON-LD context file is changed after signature? This has been answered on this mailing list and is reflected in the modified description of the Linked Data Integrity deliverable. https://w3c.github.io/lds-wg-charter/#integrity

3. A different version of the previous objection is that signatures over anything that can be stated and changed by other people are meaningless and potentially dangerous. True. Those issues are understood by prospective members of the proposed WG and so there is a limit on the scope. Again, see the revised description of the LDI deliverable.

4. Are the input documents perfect? Obviously not. If they were, we wouldn't need a WG. Have they been reviewed by security experts? Actually, yes they have, but more is good. Review by the wider community? No. That's why we need a WG. It's the difference between a CG report and a Rec. And no one can be unaware of the genuine challenges raised on this mailing list by knowledgeable people who have a career-long passion to see RDF/LD to succeed.

I asked GS1's developer working on building our Verifiable Credential infrastructure what checks are made on the JSON-LD context file when verifying. Does it look at the semantics of the terms? Nope. The library we're using just checks that the term is defined, not that is has a specific definition. That bothers me and it's an issue the WG is going to need to address. One of the things about being a prospective co-chair is that I'm one of the people that literally would get to set the agenda 😊. It's my agenda item one, right after we've introduced ourselves to each other.

The charter is about defining the problem. I think it does that - the problem being that we need a standardized way to use cryptography to substantially enhance the trust in exchanges of Linked Data. There are well proven and massively implemented ways of doing this already. Of course there are, but there are some circumstances where more work needs to be done in order for those existing techniques to be used.

I don't pretend to have the deep knowledge that many here have (I'm one of those people who sits between tech and business, I know some things, sure, but I also know my limits). What I can offer though is this:

PFPS, Pat Hayes, Gregg and DanBri are in the pantheon of RDF. Nothing you have said has been, or will be, ignored. It is input to the WG and, even if you don't join the WG itself, we'll know that you're paying attention and if the standards don't meet the challenges raised by you, they will rightly fall. I can, at least, make sure of that.

Phil Archer
Director, Web Solutions, GS1
https://www.gs1.org

Advance notice: I will be offline w/c 28th June with no access to email.

Meet GS1 Digital Link Developers at
https://groups.google.com/forum/#!forum/gs1-digital-link-developers

https://philarcher.org

+44 (0)7887 767755
@philarcher1
Skype: philarcher

CONFIDENTIALITY / DISCLAIMER: The contents of this e-mail are confidential and are not to be regarded as a contractual offer or acceptance from GS1 (registered in Belgium).
If you are not the addressee, or if this has been copied or sent to you in error, you must not use data herein for any purpose, you must delete it, and should inform the sender.
GS1 disclaims liability for accuracy or completeness, and opinions expressed are those of the author alone.
GS1 may monitor communications.
Third party rights acknowledged.
(c) 2020.

Received on Wednesday, 9 June 2021 10:49:33 UTC