- From: Ivan Herman <ivan@w3.org>
- Date: Fri, 20 Mar 2009 16:34:21 +0100
- To: Bijan Parsia <bparsia@cs.man.ac.uk>
- CC: W3C OWL Working Group <public-owl-wg@w3.org>
- Message-ID: <49C3B77D.6050702@w3.org>
Bijan Parsia wrote:
>
> From a security perspective, it seems that Jena puts up a warning at
> least the first time you use GRDDL, but it's unclear if it does it every
> time it downloads a new transform. I don't know if it caches, so the
> effect on W3C traffic is still unknown. I don't know anything momre
> about signing or checksumming the XSLT, so I think it still is a fairly
> large security risk.
I am not sure it is a perfect answer but I put extra information into my
FOAF file:
xmlns:wot="http://xmlns.com/wot/0.1/"
...
<wot:assurance>
<wot:Endorsement
rdf:about="http://www.ivan-herman.net/foaf.html.asc">
<dc:title>A detached signature for the generated foaf
RDF/XML document</dc:title>
<wot:endorser>
<wot:PubKey>
<wot:pubKeyAddress
rdf:resource="http://www.ivan-herman.net/pgpkey.html"/>
<wot:identity rdf:resource="http://www.ivan-herman.net/me"/>
<wot:length>1024</wot:length>
<wot:fingerprint>31DD 8BBF 6057 1601 659E E95F 751D E143
343F 1A3D</wot:fingerprint>
</wot:PubKey>
</wot:endorser>
</wot:Endorsement>
</wot:assurance>
Can't we put something similar into the RDF file that refers to the XSLT
transform? Ie, store the signed version of it side by side and refer to
it through some vocabulary.
I use PGP here, we can also use some form of XML Signature and store that.
It is not perfect. But if an implementation wants to check the integrity
of the transformation, it can.
Just an idea
Ivan
--
Ivan Herman, W3C Semantic Web Activity Lead
Home: http://www.w3.org/People/Ivan/
mobile: +31-641044153
PGP Key: http://www.ivan-herman.net/pgpkey.html
FOAF: http://www.ivan-herman.net/foaf.rdf
Received on Friday, 20 March 2009 15:34:13 UTC