W3C home > Mailing lists > Public > semantic-web@w3.org > May 2021

Re: Chartering work has started for a Linked Data Signature Working Group @W3C

From: Dan Brickley <danbri@danbri.org>
Date: Fri, 21 May 2021 09:20:07 +0100
Message-ID: <CAFfrAFoppNHcrz3yoUPQ9aNa4MJjNKZ19W7ox6F7kitSF5AEUA@mail.gmail.com>
To: Peter Patel-Schneider <pfpschneider@gmail.com>
Cc: Aidan Hogan <aidhog@gmail.com>, semantic-web@w3.org
On Fri, 21 May 2021 at 00:34, Peter Patel-Schneider <pfpschneider@gmail.com>
wrote:

> On Thu, 2021-05-20 at 18:58 -0400, Aidan Hogan wrote:
> > [...]
> >
> > RDF Dataset canonicalisation has indeed undergone review by trained
> > mathematicians as mentioned before, but to the best of my knowledge,
> > the
> > people involved (those findable from the explainer) are not security
> > or
> > cryptography experts. Which security and cryptography engineers have
> > reviewed which parts? It would be good to see input from such experts
> > regarding (2) and particularly (3).
> >
>
> Indeed.  As far as I know [3], i.e., the idea of augmenting graphs
> while signing and removing the augmentations while verifying isn't a
> standard part of security and cryptography.   Which experts have signed
> off on this?


On this detail, does it recurse reliably?

If Ale writes some RDF, Brin signs it to assure basic integrity of the
communication, publishes the result, and then a couple days later Cary
signs it to indicate institutional endorsement of the original claims, etc.
Are there any cases where manipulating an additional signing could mess
with embedded earlier signings, to malicious ends?

Dan

ps. I like the “signing *for* linked data” formulation, as an exercise in
creative consensus building. However most of the currently listed usecases
don’t engage with Linked Data in the sense of Tim’s founding writeup or the
practices of the community that built the LOD cloud. They don’t even engage
particularly with the common use of JSON-LD in public web pages.

How about “Data Signing for RDF and Verifiable Credentials WG” to
acknowledge the two strands of work justifying the group. If VC need this,
that could be enough to justify a WG, since it is an actively deployed
recent REC.

(Or “Signed RDF to fit in a barcode WG” if we’re not in the signing large
KGs business?)

As well, where is the open-source reference implementation?  I would
> like to be able to play around with it to check out just what is
> supposed to happen.


+1


> peter
>
>
>
>
Received on Friday, 21 May 2021 08:21:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 21 May 2021 08:21:34 UTC