Re: #rdfms-identity-anon-resources: provenance

Hi Ron,

From one lazy slob to another, I wasn't, nor I think was anyone else,
suggesting the working group take on the task of defining an
algorithm for signing a model.

Brian


Ron Daniel wrote:
> 
> Hi all,
> 
> I'm back from vacation, starting to catch up on the
> backlog. Apologies if this issue has already been settled,
> I did not see such in the minutes. (Speaking of which,
> I don't see the minutes for July 27 in the archive).
> 
> Brian said:
> 
> > I should have made clear that my hypothesis here is that it is
> > the 'model' that was signed, not the document.
> 
> There are not very many use cases for signing an internal
> representation instead of the serialized form which is
> actually transmitted. The main concerns people use signatures
> to address are:
>   1) Did this come from whom it purports to come from?
>   2) Is this an unaltered version of what they sent?
> Both of these are perfectly well-served by signing the
> serialized form of a graph. Signing internal representations
> ends up with a lot of problems around canonicalization
> such as byte order issues, as well as a tendency to
> restrict optimizations.
> 
> There are some other reasons not to take on the task
> of signing the 'model', including:
>  1) insufficient number of WG members who are security experts
>  2) interference with the chartered XML signatures work (which
>     is the group that does have the security experts)
>  3) lack of demonstrated needs which can't be met by
>     signing the serialized form of a model.
>  4) lack of charter to take this on
>  5) time and effort
> 
> Lazy slob that I am, I don't want to take on more work
> than is needed.
> 
> Ron Daniel Jr.
> Standards Architect
> Tel: +1 415 778 3113
> Fax: +1 415 778 3131
> Email: rdaniel@interwoven.com
> 
> Visit www.interwoven.com
> Moving Business to the Web

Received on Monday, 30 July 2001 19:47:04 UTC