Re: what is on Trust and Proof levels?

On 1 November 2010 14:55, Henry Story <henry.story@bblfish.net> wrote:
>
> On 1 Nov 2010, at 14:25, Nathan wrote:
>
>> Henry Story wrote:
>>> On 31 Oct 2010, at 09:23, Ivan Herman wrote:
>>>> On Oct 29, 2010, at 01:58 , Juriy Katkov wrote:
>>>>
>>>>> Hello everyone! I've studied semantic web standard and technologies for some time but still don't understand: what kind of tecnologies are on Proof and Trust levels of the Semantic Web layer cake? Have these standards already built or not?
>>>>>
>>>> The short answer is: no.
>>>>
>>>> There is R&D on trust, security issues, signatures, etc, but none that I know of are of a maturity level to be defined as a standard. (Yet?)
>>> Well I think WebID is really past that stage now. It's been tested on more platforms that one
>>> can think of and list, people have written thesis on it, implementations have been made, ...
>>>   http://esw.w3.org/Foaf%2Bssl
>>> It's mature, and ready to be cooked by a willing standards organisation. If you want to support it and are member of the W3C please add your name to the wiki here: http://esw.w3.org/Foaf%2Bssl/WebIdWorkingGroup
>>> That provides a foundation stone for the rest. The rest is still a lot of work.
>>
>> There's still a critical link missing, there's no way of proving in RDF
>
> You cannot make proofs in RDF. You make statements.
>
>> that a person really holds the private key for which which they say they hold the public key.
>
> I am surprised that you still have this issue. It sounds like you still have not understood foaf+ssl
> to me. Are you saying that all our deployments are broken at present? Or is there something I am missing?
>
> The proof of ownership of the private key is not in the foaf profile. The proof that the authenticating party (romeo) has the private key is in the SSL connection the his agent makes with the Relying Party (Juliet's server).
>
> (I really go into this at length here
>  http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083 )
>
>> If however one was to do something like sign their URI with their private key and pop the signature in the graph, then you could establish that they do or did hold that key simply by considering the RDF.
>
> So what are the attack vectors that our current implementations are at risk of, since they do not
> implement this. If you are adding a new feature, then there must be something that it is fixing, right?

This came up while discussing PGP key signing and Web of Trust.  See below:

http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#web_of_trust_definition

You can digitally sign your own public key packet and any associated
id in that public key, or another entity's public key packet and
associated user ids. Self signatures prevent adversaries from
appending fake encryption or signature keys on your public key
material while it is stored publicly or while it is being transmitted.
If an adversary were able to add a fake encryption or signature key,
they could add a public key packet to which only they posses the
private key. This could result in an individual who wishes to
communicate with you in secret inadvertently transmitting their
communication to the person that serendipitously modified your public
key in transit. By default, GnuPG and most other implementation of the
openPGP standard automatically perform self signature on all User ID
packets generated for a public key.

In a sense, key signatures validate public keys. They are an
endorsement of validity of a public key packet and associated id by a
third party. This is the way in which key signing builds the web of
trust.

>
>> A few of us had a long conversation on #swig this morning, which starts off right at the above point, do see:
>>  http://chatlogs.planetrdf.com/swig/2010-11-01.html
>>
>> To save repeating it all,
>>
>> Best,
>>
>> Nathan
>
> Social Web Architect
> http://bblfish.net/
>
>
>

Received on Monday, 1 November 2010 14:06:46 UTC