- From: Sampo Syreeni <decoy@iki.fi>
- Date: Tue, 28 Apr 2009 18:12:21 +0300 (EEST)
- To: Dan Brickley <danbri@danbri.org>
- cc: Story Henry <henry.story@bblfish.net>, Kingsley Idehen <kidehen@openlinksw.com>, Semantic Web <semantic-web@w3.org>, foaf-dev Friend of a <foaf-dev@lists.foaf-project.org>
On 2009-04-28, Dan Brickley wrote: > Those are not the kinds of property of an algorithm that endear it to > use in a security context. Jeremy himself said earlier in this thread > that signing the source text is more appropriate to the current > problem space, and I'd like to stick with that conclusion and move on! Much agreed. When thinking about algorithms (or heaven forbid standards, such as W3C's XML signatures), one should first and always ask one question: what is the problem that is being solved? In this case I'm at a loss to find such a practical application. It's always elegant and as such tempting to device authentication methods which attest to the semantics, and the semantics only, of a given piece of text. Or at least disambiguate fully what is being attested to. That's why we often want to device normalization and canonicalization algorithms. But in the end, do they really give us any tangible benefit over signing the source text, and perhaps additionally, socially, recognizing the fact that the only thing being attested to is the semantics, modulo syntactic variation? I don't think so. Rather I believe normalization before signing is trying to solve a problem that is currently insurmountable: one that has to do with semantics, disambiguation and social protocol, as opposed to easily machine processable "stuff". As such, it is currently better left to human judgment, even with its inherent ambiguity, because pretending that the problem can be solved via limited algorithmic means is at least in my mind just a misleading fancy. -- Sampo Syreeni, aka decoy - decoy@iki.fi, http://decoy.iki.fi/front +358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
Received on Tuesday, 28 April 2009 15:13:20 UTC