- From: Scheppe, Kai-Dietrich <k.scheppe@telekom.de>
- Date: Wed, 7 May 2008 17:20:25 +0200
- To: "Tim Boland" <frederick.boland@nist.gov>, <public-powderwg@w3.org>
Hi Tim, We had previously discussed that, at some point, the user will simply have to trust. The simplest and easiest form to help the user is to provide attribution in the DR. This is made quite apparent through the following example on certification: trustbuilder.org says, in DR 1, that the content at provider.com is in fact what they claim in DR 2 but rebel.org says, in DR 3, that the content at provider.com is not what is claimed in DR 2 This is perfectly legitimate and the user has to decide which source of certification to believe. However, how would you manage, test or even quantify this trust? Because, depending on your own circumstance you may trust rebel.org in one instance, but for some other subject, you would go to trustbuilder.org It all depends on who they are and what the user needs at the moment. As such, we can only provide a mechanism to facilitate the extension of trust. -- Kai > -----Original Message----- > From: public-powderwg-request@w3.org > [mailto:public-powderwg-request@w3.org] On Behalf Of Tim Boland > Sent: Wednesday, May 07, 2008 5:06 PM > To: public-powderwg@w3.org > Subject: Re: Report on Beijing > > > Would the text proposed contain any normative requirements > which would then need to (hopefully) be objectively tested? > How would this trust be managed/tested (will we be testing > any requirements related to trust management for POWDER)? > > Thanks and best wishes > Tim Boland NIST > > At 03:53 PM 5/7/2008 +0100, you wrote: > > >Thanks Kai, it'll be in the next version of the doc posted > to the group > >- which I hope to do tomorrow morning. > > > >Phil. > > > >Scheppe, Kai-Dietrich wrote: > >>Hi Phil, > >>That is pretty good, but I think something else needs to be said as > >>well. > >>There is the fickle nature of trust with regard to the > circumstances. > >>You may trust one person to give you information on > cooking, but would > >>extend trust to another person about how to fix your broken GRDDL > >>transform. > >>As such how about this: > >>Trust is a central theme of POWDER, however, we do not prescribe a > >>single method through which trust must be conferred on Description > >>Resources. By its very nature, trust is a human judgement that can > >>only be made by weighing the likelihood that the data is > true against > >>the effect of it being false. > >>This judgement is highly dependant on the circumstances under which > >>the need to extend trust arises. > >>POWDER does, therefore, provide support for, and is amenable to, a > >>variety of methods through which users and user agents can > establish > >>trust to suit their particular situation. > >> > >>...as a thought. > >>Kai > >> > >>>-----Original Message----- > >>>From: public-powderwg-request@w3.org > >>>[mailto:public-powderwg-request@w3.org] On Behalf Of Phil Archer > >>>Sent: Wednesday, May 07, 2008 1:04 PM > >>>To: Public POWDER > >>>Subject: Re: Report on Beijing > >>> > >>> > >>>Just to follow up on this, I am working on the DR doc just now and > >>>would like to propose the following additional text be included in > >>>the > >>>introduction: > >>> > >>>Trust is a central theme of POWDER, however, we do not prescribe a > >>>single method through which trust must be conferred on Description > >>>Resources. By its very nature, trust is a human judgement that can > >>>only be made by weighing the likelihood that the data is > true against > >>>the effect of it being false. POWDER does, however, > provide support > >>>for, and is amenable to, a variety of methods through > which users and > >>>user agents can establish trust. > >>> > >>>Does that answer the question do you think? > >>> > >>>Phil. > >>> > >>>Phil Archer wrote: > >>>>Thanks Kai, and thanks for flying the POWDER flag in Beijing. > >>>> > >>>>I get asked the same question and my answer is usually a > version of: > >>>> > >>>>There are several methods of adding security - XML Sig, SSL > >>>etc. And > >>>>it depends on the application which is the most > >>>appropriate. The claim > >>>>that a Web site offers good ideas for children's parties needs a > >>>>different level of security than the claim that the advice > >>>on the Web > >>>>site is useful for defusing a nuclear warhead. > /Therefore/ we don't > >>>>prescribe a single method. > >>>> > >>>>But... as you say, the question does keep coming up. > >>>Section 4 of the > >>>>DR doc [1] attempts to answer it and highlights several methods: > >>>> > >>>>1. wdr:authenticate - which links a FOAF file to a > description of a > >>>>service - any service - through which one can authenticate an DR > >>>>created by that author. > >>>> > >>>>2. Certification using a DR - in which a hash of the > (single) thing > >>>>described is part of the description. > >>>> > >>>>3. supportedBy - a pointer from a DR to some other source of > >>>>information that will offer a similar description. > >>>> > >>>>4. The source of the DR - if you get your DR directly from > >>>>technosite.es, notwithstanding a man in the middle attack, > >>>you can be > >>>>pretty sure that Technosite was the publisher of the DR. > >>>> > >>>>5. Machine Learning - Since DRs make it easy to use controlled > >>>>vocabularies, and controlled vocabularies make it easy to train > >>>>contnet analysers. > >>>> > >>>>Those who know the WG members will be able to discern where these > >>>>approaches all come from. In addition, Andrea has > suggested we make > >>>>use of Dan Brickley's 'other vocabulary', the Web of trust > >>>>http://xmlns.com/wot/0.1/ and, yes, XML Sig. I'd be very > >>>happy to see > >>>>these in the doc! > >>>> > >>>>Phill > >>>> > >>>> > >>>>[1] http://www.w3.org/TR/2008/WD-powder-dr-20080317/#trust > >>>> > >>>>Scheppe, Kai-Dietrich wrote: > >>>>>Phil had asked about China and the WWW2008 conference. > >>>>> > >>>>>Yes, there is something to report. > >>>>>I gave a short presentation on POWDER. It went fine, > >>>people seemed > >>>>>interested, there were few questions. > >>>>> > >>>>>However, one point came up in several conversations with several > >>>>>people > >>>>>- that of security. > >>>>> > >>>>>Basically I was asked: How do you ensure that the > DR which has > >>>>>been written does in fact come from that person or entity? > >>>>> > >>>>>I believe we had, a long time ago, discussed digital > >>>signatures, but > >>>>>wasn't sure what had come of all that. > >>>>> > >>>>> > >>>>>Question to the group: Will we deal with that? And if yes, how? > >>>>> > >>>>>The easy way out would be to say no, trust is up to the > >>>user and we > >>>>>won't bother, but I was struck by how this point came up several > >>>>>times independently, thus I think it is not something to > >>>be brushed aside. > >>>>>-- Kai > > > > > > > >
Received on Wednesday, 7 May 2008 15:22:29 UTC