- From: Dan Brickley <danbri@danbri.org>
- Date: Fri, 21 May 2021 09:20:07 +0100
- To: Peter Patel-Schneider <pfpschneider@gmail.com>
- Cc: Aidan Hogan <aidhog@gmail.com>, semantic-web@w3.org
- Message-ID: <CAFfrAFoppNHcrz3yoUPQ9aNa4MJjNKZ19W7ox6F7kitSF5AEUA@mail.gmail.com>
On Fri, 21 May 2021 at 00:34, Peter Patel-Schneider <pfpschneider@gmail.com> wrote: > On Thu, 2021-05-20 at 18:58 -0400, Aidan Hogan wrote: > > [...] > > > > RDF Dataset canonicalisation has indeed undergone review by trained > > mathematicians as mentioned before, but to the best of my knowledge, > > the > > people involved (those findable from the explainer) are not security > > or > > cryptography experts. Which security and cryptography engineers have > > reviewed which parts? It would be good to see input from such experts > > regarding (2) and particularly (3). > > > > Indeed. As far as I know [3], i.e., the idea of augmenting graphs > while signing and removing the augmentations while verifying isn't a > standard part of security and cryptography. Which experts have signed > off on this? On this detail, does it recurse reliably? If Ale writes some RDF, Brin signs it to assure basic integrity of the communication, publishes the result, and then a couple days later Cary signs it to indicate institutional endorsement of the original claims, etc. Are there any cases where manipulating an additional signing could mess with embedded earlier signings, to malicious ends? Dan ps. I like the “signing *for* linked data” formulation, as an exercise in creative consensus building. However most of the currently listed usecases don’t engage with Linked Data in the sense of Tim’s founding writeup or the practices of the community that built the LOD cloud. They don’t even engage particularly with the common use of JSON-LD in public web pages. How about “Data Signing for RDF and Verifiable Credentials WG” to acknowledge the two strands of work justifying the group. If VC need this, that could be enough to justify a WG, since it is an actively deployed recent REC. (Or “Signed RDF to fit in a barcode WG” if we’re not in the signing large KGs business?) As well, where is the open-source reference implementation? I would > like to be able to play around with it to check out just what is > supposed to happen. +1 > peter > > > >
Received on Friday, 21 May 2021 08:21:32 UTC