RE: [foaf-dev] FOAF sites offline during cleanup

Yes in practice XML sig may have advantages over simple text file signing. But they are not particularly the advantages advertized for XML sig.

The RDF canonicalization stuff was interesting, but doesn't seem very practically relevant.

Jeremy


> -----Original Message-----
> From: semantic-web-request@w3.org [mailto:semantic-web-request@w3.org]
> On Behalf Of Dan Brickley
> Sent: Monday, April 27, 2009 11:18 AM
> To: Jeremy Carroll
> Cc: 'foaf-dev Friend of a'; foaf-protocols@lists.foaf-project.org;
> 'Semantic Web'; 'Thomas Roessler'
> Subject: Re: [foaf-dev] FOAF sites offline during cleanup
> 
> On 27/4/09 20:03, Jeremy Carroll wrote:
> > My view is that neither XML sig nor some sort of RDF signature, as
> envisaged in my paper cited in this thread, are appropriate.
> >
> > The techniques of both are trying to permit signing of the pertinent
> information, while ignoring irrelevancies (such as white space [in XML]
> or triple order [in RDF]).
> >
> > But why bother?
> >
> > If you have the original document, and its signature, just as a text
> file, you can confirm authorship. This solves the actual problems:
> everything else is just an intellectual exercise.
> 
> Yep. So how to record it's signature? In the FOAF scene we used to do
> this: http://usefulinc.com/foaf/signingFoafFiles
> 
> Which basically involves being set up as a PGPGPGPG user and typing
> 
>  gpg -a --detach-sign myfile.rdf
> 
> My thinking was that we really ought to be using XML Sig (some simplest
> piece, ...) since that is more inclusive across X509 and PGP
> approaches.
> And since java comes with lots of support for it now, we could still do
> it with a nice little portable tool...
> 
> 
> > As with all software problems, ask the question: what are we trying
> to achieve? Then can we achieve that easily with some off the shelf
> software?&  try and use the simplest off-the-shelf software one can.
> 
> (Java plus no extra libraries was quite appealing)
> 
> > The presenting problem is that Dan's web site was hacked, and some
> crucial files for SemWeb are down until he recovers the site.
>  >
> > What we need (for the future) is reliable copies of those crucial
> files, that we know are good.
> >
> > I think that using the original documents, and signatures of those
> docs as text files achieves the goals.
> 
> Yes. Don't get me wrong, I really liked your exploration of how to
> canonicalise RDF graphs that contained bnodes, really clever approach.
> But for this current scenario, signing the source text file is
> massively
> simpler...
> 
> > Of course, the next thing that happens, is what happens when
> someone's private key is compromised ...
> 
> Yup :)
> 
> For RDFS/OWL specs, we might reasonably expect two editors to sign each
> republication independently...
> 
> Dan

Received on Monday, 27 April 2009 18:28:21 UTC