Re: Chartering work has started for a Linked Data Signature Working Group @W3C

TL;DL:  It is no mistake to examine and point out problems in supporting 
documents at this point in the creation of a working group.


If a working group charter points to existing work as a starting point, and 
especially when a charter so prominently points to the existing work of a 
single body, then I expect a certain minimum level of competence exhibited in 
that work.   This is particularly so when there are security aspects in the 
proposed working group. I am decidedly not seeing this minimum level of 
competence in the documents referenced by this charter.

I strongly suggest that you get a computer security expert to look through the 
current version of the documents mentioned in the charter.  At this point I 
think this review should be required even if the charter is revised to no 
longer point to these documents.


So I strongly dispute your statement that it is a mistake to look at the 
current documents that the draft charter points to and make conclusions based 
on what is in these documents.  I realize that these documents may change and 
I realize the time pressures involved in transitioning from a community group 
to a working group.  But this doesn't mean that just the drafting of a working 
group charter is not a good time to hold up the current state of supporting 
documents to close examination.  Surely it is better to do this now, when 
there is a chance that the situation might be improved, than during AC review 
of the working group charter.


peter


On 5/13/21 3:39 AM, Ivan Herman wrote:
> Peter (and others who may have made the same mistake)
>
> At the moment, the charter text says:
>
> "Draft State to be adopted from: …"
>
> the intention is not to take over the, say, Linked Data Proof document as 
> is, just to start by some document that is already there. Ie, the charter 
> does not say that, say, the FPWD of the respective deliverable will be that 
> document. In this sense, the criticism on that document is not really 
> relevant for the charter.
>
> In an upcoming new version I may change that to something like "input 
> document", or something similar.
>
> (The problem with the current situation is that the charters at W3C follow a 
> specific template which, in this case, may be misleading.)
>
> Ivan
>
>
>> On 12 May 2021, at 19:47, Peter F. Patel-Schneider <pfpschneider@gmail.com 
>> <mailto:pfpschneider@gmail.com>> wrote:
>>
>> I was looking through the draft charter. Under the suggestion that RDF and 
>> Linked Data are synonyms we get the following deliverables.
>>
>> RDF Dataset Canonicalization (RDC)
>> RDF Dataset Hash (RDH)
>> RDF Integrity (RI)
>> RDF Security Vocabulary (RSV)
>>
>> I understand RDC, which is existing work, and RDH, which is also very close 
>> to existing work. I think I understand RI, which appears to be nothing more 
>> than the writing down of the necessary information to be able to verify 
>> signatures and similar things. Then RSV is just a vocabulary for these things.
>>
>> So far, so good.
>>
>> But when I look at the examples in the proposed source of RI, I get 
>> confused.  I see there an example of adding a signature into what looks 
>> like a JSON-LD document.  As far as I can tell, this JSON-LD document, 
>> EXAMPLE 1, produces an empty graph but this depends on the contents of the 
>> context document at https://w3id.org/identity/v1 
>> <https://w3id.org/identity/v1>. The signed document, EXAMPLE 2, also 
>> produces an empty graph but this depends on the contents of two documents, 
>> neither of which are the context document for the original document.  So 
>> I'm very puzzled as to just what is going on here.
>>
>> OK, maybe all this is just about some aspect of JSON-LD, so I considered 
>> signing a Turtle document.  Here is a Turtle document:
>>
>> @prefix foaf: <http://xmlns.com/foaf/0.1/ <http://xmlns.com/foaf/0.1/>> .
>>
>> <alice> foaf:name "Alice" .
>>
>>
>> I quickly run into two problems.
>>
>> First, where is the signature supposed to go to make a signed document?  I 
>> suppose that it can be just fit into comments.
>>
>> Second, what is the RDF graph resulting from this document?  That depends 
>> on the base IRI, which can be influenced by the location of the document.  
>> So will there have to be an extra location provided as input to RDC and 
>> associated with the signature?  This issue also appears in JSON-LD documents.
>>
>> I couldn't find any discussion of these issues in the input documents for 
>> the proposed WG.  I expected to see something saying how to add signatures 
>> to RDF concrete syntaxes and something that excluded documents with 
>> relative IRIs or somehow handled relative IRIs.  I also expected to see 
>> something that worked for JSON-LD documents.
>>
>> So I'm rather confused as to just how the WG is going to do what it needs 
>> to do.
>>
>>
>> peter
>>
>>
>
>
> ----
> Ivan Herman, W3C
> Home: http://www.w3.org/People/Ivan/ <http://www.w3.org/People/Ivan/>
> mobile: +33 6 52 46 00 43
> ORCID ID: https://orcid.org/0000-0003-0782-2704 
> <https://orcid.org/0000-0003-0782-2704>
>

Received on Thursday, 13 May 2021 11:33:26 UTC