W3C home > Mailing lists > Public > semantic-web@w3.org > April 2009

Re: [foaf-dev] FOAF sites offline during cleanup

From: Dan Brickley <danbri@danbri.org>
Date: Mon, 27 Apr 2009 20:18:21 +0200
Message-ID: <49F5F6ED.6010206@danbri.org>
To: Jeremy Carroll <jeremy@topquadrant.com>
CC: 'foaf-dev Friend of a' <foaf-dev@lists.foaf-project.org>, foaf-protocols@lists.foaf-project.org, 'Semantic Web' <semantic-web@w3.org>, 'Thomas Roessler' <tlr@w3.org>
On 27/4/09 20:03, Jeremy Carroll wrote:
> My view is that neither XML sig nor some sort of RDF signature, as envisaged in my paper cited in this thread, are appropriate.
>
> The techniques of both are trying to permit signing of the pertinent information, while ignoring irrelevancies (such as white space [in XML] or triple order [in RDF]).
>
> But why bother?
>
> If you have the original document, and its signature, just as a text file, you can confirm authorship. This solves the actual problems: everything else is just an intellectual exercise.

Yep. So how to record it's signature? In the FOAF scene we used to do 
this: http://usefulinc.com/foaf/signingFoafFiles

Which basically involves being set up as a PGPGPGPG user and typing

	gpg -a --detach-sign myfile.rdf

My thinking was that we really ought to be using XML Sig (some simplest 
piece, ...) since that is more inclusive across X509 and PGP approaches. 
And since java comes with lots of support for it now, we could still do 
it with a nice little portable tool...


> As with all software problems, ask the question: what are we trying to achieve? Then can we achieve that easily with some off the shelf software?&  try and use the simplest off-the-shelf software one can.

(Java plus no extra libraries was quite appealing)

> The presenting problem is that Dan's web site was hacked, and some crucial files for SemWeb are down until he recovers the site.
 >
> What we need (for the future) is reliable copies of those crucial files, that we know are good.
>
> I think that using the original documents, and signatures of those docs as text files achieves the goals.

Yes. Don't get me wrong, I really liked your exploration of how to 
canonicalise RDF graphs that contained bnodes, really clever approach. 
But for this current scenario, signing the source text file is massively 
simpler...

> Of course, the next thing that happens, is what happens when someone's private key is compromised ...

Yup :)

For RDFS/OWL specs, we might reasonably expect two editors to sign each 
republication independently...

Dan
Received on Monday, 27 April 2009 18:19:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:11 UTC