- From: Steve Harris <steve.harris@garlik.com>
- Date: Fri, 24 Jun 2011 10:28:42 +0100
- To: Gavin Carothers <gavin@topquadrant.com>
- Cc: RDF-WG WG <public-rdf-wg@w3.org>
On 2011-06-24, at 00:39, Gavin Carothers wrote: > One of the commonly mentioned uses cases for named graphs and graph > literals is their use with digital signatures. At the moment signing > an RDF graph is impossible. Today applications and systems can sign > serializations of an RDF graph. However, there are issues with all of > those serializations, and the whole notion of signing the serialized > form. For example as we know a given RDF graph can be serialized into > a huge number of equivalent RDF/XML files. We also know that RDF/XML > can't represent all RDF graphs. If we leave the creation of a > canonical form up to each serialization we are likely to end up with a > large number of canonicalization methods. One for RDF/XML, one for > Turtle, one for JSON-LD, one for RDF-JSON, etc. If we look at RDFa, > the situation gets really strange. What the heck do you sign? The > whole HTML, what if you just want to sign the data? So, my experience of signed RDF graphs is limited to FOAF, where signing the serialised form of the FOAF document is sufficient. Do you have example usecases where it is not sufficient? Incidentally, this is related to the issues with being able to tell the difference between quad data and triple data before parse time. If you check document signatures at ingest time it's critical that you know what graph(s) will be written to /before/ you start parsing the document. Once the data has been parsed it's no longer possible to check the signature again, so you have to be able to control writes to the graph. - Steve -- Steve Harris, CTO, Garlik Limited 1-3 Halford Road, Richmond, TW10 6AW, UK +44 20 8439 8203 http://www.garlik.com/ Registered in England and Wales 535 7233 VAT # 849 0517 11 Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10 9AD
Received on Friday, 24 June 2011 09:29:12 UTC