Re: [foaf-dev] FOAF sites offline during cleanup from Dan Brickley on 2009-04-27 (semantic-web@w3.org from April 2009)

From: Dan Brickley <danbri@danbri.org>
Date: Mon, 27 Apr 2009 20:18:21 +0200
To: Jeremy Carroll <jeremy@topquadrant.com>
CC: 'foaf-dev Friend of a' <foaf-dev@lists.foaf-project.org>, foaf-protocols@lists.foaf-project.org, 'Semantic Web' <semantic-web@w3.org>, 'Thomas Roessler' <tlr@w3.org>
Message-ID: <49F5F6ED.6010206@danbri.org>

On 27/4/09 20:03, Jeremy Carroll wrote:
> My view is that neither XML sig nor some sort of RDF signature, as envisaged in my paper cited in this thread, are appropriate.
>
> The techniques of both are trying to permit signing of the pertinent information, while ignoring irrelevancies (such as white space [in XML] or triple order [in RDF]).
>
> But why bother?
>
> If you have the original document, and its signature, just as a text file, you can confirm authorship. This solves the actual problems: everything else is just an intellectual exercise.

Yep. So how to record it's signature? In the FOAF scene we used to do 
this: http://usefulinc.com/foaf/signingFoafFiles

Which basically involves being set up as a PGPGPGPG user and typing

 gpg -a --detach-sign myfile.rdf

My thinking was that we really ought to be using XML Sig (some simplest 
piece, ...) since that is more inclusive across X509 and PGP approaches. 
And since java comes with lots of support for it now, we could still do 
it with a nice little portable tool...

> As with all software problems, ask the question: what are we trying to achieve? Then can we achieve that easily with some off the shelf software?&  try and use the simplest off-the-shelf software one can.

(Java plus no extra libraries was quite appealing)

> The presenting problem is that Dan's web site was hacked, and some crucial files for SemWeb are down until he recovers the site.
 >
> What we need (for the future) is reliable copies of those crucial files, that we know are good.
>
> I think that using the original documents, and signatures of those docs as text files achieves the goals.

Yes. Don't get me wrong, I really liked your exploration of how to 
canonicalise RDF graphs that contained bnodes, really clever approach. 
But for this current scenario, signing the source text file is massively 
simpler...

> Of course, the next thing that happens, is what happens when someone's private key is compromised ...

Yup :)

For RDFS/OWL specs, we might reasonably expect two editors to sign each 
republication independently...

Dan

Received on Monday, 27 April 2009 18:19:06 UTC