W3C home > Mailing lists > Public > public-esw@w3.org > October 2002

FOAF and trust and certificates

From: Graham Klyne <GK@NineByNine.org>
Date: Wed, 16 Oct 2002 19:01:34 +0100
Message-Id: <>
To: SWAD-E public discussion <public-esw@w3.org>

Maybe this has already been considered ... it's obvious enough, but the 
thought has only just struck me.

It occurs to me that the FOAF experiment of Dan Brickley and friends (and 
FOAFs) might have some relevance to some aspects of trust modelling.  I'm 
scratching some words about public key certificates and CA chaining, and 
got to this point:
           <t>So X.509 employs the idea of certificate chains, where
             each CA's public key is itself signed by a "higher" CA,
             and so on until a trusted "root" CA is encountered.
             Thus, a chain of certificates can link the holder of
             some key and a user of the corresponding public key
             to a common point of trust.  Set against this, the
             longer the certificate chain the more scope there is
             for compromise of any one of the CA signing keys, which
             would effectively nullify the basis for trust in the
             end user keys thus protected.</t>

This describes the X.509 hierarchical CA chaining model.  PGP, on the other 
hand, employs a more grassroots based web of trust, in which any keyholder 
can express degrees of trust in another.  In his book "Applied 
Crytography", Bruce Schneier puts it like this:
There are no key certification authorities;   PGP instead supports a "web 
of trust".  Every user generates and distributes his own public key.  Users 
sign each other's public keys, creating an interconnected community of PGP 

All of which has strong resonances with FOAF.  I'm thinking in particular that:
(a) FOAF might be used to model PGP webs-of-trust.
(b) FOAF might be able to supply additional information about 
relationships, which could be used to guide trust decisions in a PGP 
(c) with a FOAF model and trust strategies modelled as rules on RDF data, 
some PGP trust decisions might be automated that otherwise are made manually.

Hmmm... I must pay more attention to the next IETF key-signing party.


Graham Klyne
Received on Wednesday, 16 October 2002 14:55:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:44:40 UTC