Re: Domain of :key from Mo McRoberts on 2013-04-01 (public-webid@w3.org from April 2013)

From: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Date: Mon, 1 Apr 2013 19:03:58 +0000
To: Henry Story <henry.story@bblfish.net>
CC: Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
Message-ID: <22400B3D-0818-4EEA-92E3-DC90DCA06546@bbc.co.uk>
On Mon 2013-Apr-01, at 08:39, Henry Story <henry.story@bblfish.net> wrote:
>
> You should discuss that with Dan Brickley on the foaf mailing list if you think his definition is
> so close to being a owl:Thing that it's not worth having the distinction.

It isn't as it's used now. I'm saying it could well be if I described everything which could conceptually have an associated key(pair) as an agent. it's putting the cart before the horse.

> We don't assign the domain of :key or the range of :identity to any agent, but to those
> for which the following is true:
>
> :identity a rdf:Property, owl:ObjectProperty;
>    vs:term_status "archaic";
>    rdfs:label "identity"@en;
>    rdfs:isDefinedBy <cert#>;
>    skos:editorialNote """
>         It turns out that this relation is unintuitive to write out and to name.
>         One should instead use cert:key
>    """@en;
>    rdfs:comment """
>    the identity of the public key. This is the entity that knows the private key and
>    so can decrypt messages encrypted with the public key, or encrypt messages that can
>    be decrypted with the public key.
>    """@en;
>    owl:inverseOf :key;
>    rdfs:domain :PublicKey .
>
>
> That is it has to be something that can be responsible for a private key - keeping
> it safe from other agents within reason, and it has to be something that can encrypt
> and decrypt messages with the key. Those are very clearly agent like things.
> Software agents can be such things.

So I think perhaps the issue here is that this is an ontology specified for the benefit and purposes of WebID, but the 99% of the mechanics of it (not to mention the name) are entirely generic. Is this 'a cert ontology', or is this 'the WebID (certificates and keys) ontology'? If it's the latter, then it seems to me that there should be a somewhat more generically-focussed equivalent — but then things get messy.

>
>>
>> This is the distinction, I guess, between 'is defined as an agent' and 'has the properties of an agent' — and I suppose why X.509/LDAP has a distinction between 'structural' and 'auxiliary' classes (the former being defining qualities, the latter describing facets).
>>
>> What about, say, a piece of digital media? There are situations where encoded media has its own keys conforming otherwise to the ontology, and it's a bit of a stretch to say that *it* is an agent.
>
> Does digital media also have its private keys with which it can sign something? Is Holloywood going to
> encrypt digital media and add the private key to the media too, so that the media can then do what?
> Clearly not. So they don't conform to the ontology

Not autonomously: that's rather the point. If they were autonomous, they would be agents! The point is that they have associated keys (they belong conceptually more to the encoded media itself than to anything you'd define as an agent per se).

> But perhaps this will become more obvious if you give us the use case. My guess is that this
> will reveal that you need a very different relation. And I am not against that.

Off the top of my head, "the thing which this key belongs to" — which may be an agent or may not.

I'm not sure why you think that (aside from the cert:key domain in question) I'd want something other than cert:key for associating a cert:PublicKey or cert:PrivateKey with an entity which is considered to "own" it, be that sshd on a particular host, a Blu-Ray player, or my next-door neighbour.

>> Flipping this around the other way, why _should_ the domain be restricted to foaf:Agent? What practical problems does it cause? (Noting that this isn't necessarily modifying the definition of a WebID, just that anything can have a key or even a certificate associated with it).
>
> Because we want a relation relating the Agent that is doing the encryption decryption using the given key.

You already know whether the thing associated with a key is an Agent or not, considering that it's the object in the cert:key triple…

Perhaps more to the point, there's little in WebID which actually cares who is doing the encryption or decryption mainly because nobody who holds a WebID actually does that themselves.

M.

--
Mo McRoberts - Analyst - BBC Archive Development,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
MC3 D4, Media Centre, 201 Wood Lane, London W12 7TQ,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E



-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
Received on Monday, 1 April 2013 19:04:51 UTC