- From: emelia <emelia@brandedcode.com>
- Date: Sun, 13 Apr 2025 12:29:43 +0200
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: a <a@trwnh.com>, public-swicg@w3c.org
- Message-Id: <3751A919-D81E-4D71-90EA-729980C63B84@brandedcode.com>
No Melvin, a Person in RDF does not mean they are the same as the physical person being described by the Person; the property publicKey does not imply any control over that public key by the physical person. Furthermore, implementations are moving (slowly) away from the publicKey property towards assertionMethods: https://codeberg.org/fediverse/fep/src/branch/main/fep/521a/fep-521a.md I'm sure we had this discussion in Solid about "does this RDF equal this physical person" when it came to WebID's. Anyone can publish RDF anywhere that is potentially descriptive of a physical person, but they aren't the same and you can't necessarily trust arbitrary RDF retrieved from the web to be correct or trusted. As has already been mentioned, in AP the Actor objects with all their different types is a server describing an Actor which may be about a physical person. Nothing implies the physical person has any control over that document. – Emelia > On 13. Apr 2025, at 07:35, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > > Sure — the server may be the one performing the HTTP requests, but that doesn’t change the semantics of the data. The Person is the subject, and the publicKey is explicitly a property of that Person. > > In RDF terms, this asserts that the identity represented by the Person has a key. If the key is actually controlled by the server and not the user, then that breaks the model. It’s precisely this mismatch between declared semantics and operational reality that creates the security concern.
Received on Sunday, 13 April 2025 10:30:01 UTC