- From: Patrick Stickler <patrick.stickler@nokia.com>
- Date: Thu, 18 Mar 2004 13:13:18 +0200
- To: "ext Chris Bizer" <chris@bizer.de>
- Cc: "ext Jeremy Carroll" <jjc@hpl.hp.com>, <phayes@ihmc.us>, <www-archive@w3.org>, <jjc@hplb.hpl.hp.com>
On Mar 18, 2004, at 11:43, ext Chris Bizer wrote:
>> I much prefer the swp:certificate property rather than forcing
>> the URI denoting the authority to resolve to the certificate.
>>
>
> Absolutely. I think it should be general practice that the URI
> identifing an
> authority refers to a graph with a self description of the authority
> (name,
> address, affiliation, roles in different application domains,
> certificates
> .... using the vocabularies of choice). Another solution would be using
> rdf:seeAlso in a graph to link to this self description.
>
>
>
> G2 (G1 swp:assertedBy ex:chris.
>
> ex:chris rdf:seeAlso <http:www.bizer.de/selfdescription.trix>)
>
The practical difficulty with this is that it's not clear that
folks will indicate the certificate of the authority in any
consistent manner via an rdf:seeAlso reference.
Better to have it explicit, e.g.
:G2 (:G1 swp:assertedBy ex:chris .
ex:chris swp:certificate <http://...> )
>
>
> ... "Distrust everything a vendor says about its competitor."
;-)
>
>
>
> I think we should derive our vocabulary for expression signatures and
> certificates from the W3C "XML Encryption Syntax and Processing" and
> "XML-Signature Syntax and Processing" specifications
> http://www.w3c.org/Signature/ and the W3C key management work
> http://www.w3c.org/2001/XKMS/, rather than inventing our own
> vocabulary. A
> guy called Garret Wilson started this, but didn't get too far. See:
>
> http://lists.w3.org/Archives/Public/www-rdf-interest/2003Dec/att-0140/
> crypto
> -draft-20031224.html
>
>
>
> If we want to go this way, I could derive the necessary vocabulary
> from the
> specs next week.
This sounds like a reasonable way to go, but I think for this particular
paper, all we need to define is swp:signature and swp:Signature and
simply cover their essential function, leaving it to future work
to define the rest.
I.e., go ahead and put together a proposal vocabulary, which may in
any case be useful in clarifying things for the present paper, but
let's keep the two activities distinct. OK?
>>> 5) define swp:signedAndAssertedBy as a subproperty of (3) and (4)
>>
>> Would we not rather be able to infer
>>
>> ?graph swp:signedBy ?authority .
>>
>> from
>>
>> ?graph swp:authority ?authority .
>> ?authority rdf:type swp:PGPCertifiedAuthority .
>>
>> ???
>>
>> I.e., if someone is a PGP CA they they are always the CA
>> for graphs which they verify/sign.
>>
>> This allows us to avoid the extra property. If the graph is
>> signed with an X509 signature, then you have to specify the
>> CA explicitly, otherwise it's the same as the value of
>> either swp:authority or swp:assertedBy.
>>
>> Yes?
>>
>
> No. I think a link to the CA is encoded in the X509 certificate. Thus
> it is
> enough that an authority signing a graph has a certificate property in
> its
> self description. An agent who wants to verify the signature can
> decode the
> certification chain from the certificates. Or we should have a look how
> certification chains are handled in the "XML Key Management
> Specification"
> and use their vocabulary.
OK, so either way, all we need is the swp:authority and swp:signature,
and then via the URI of the authority we obtain a certificate for the
authority, where the CA of that certificate is either the authority
itself (PGP) or is specified in the certificate (X509).
Right?
Patrick
--
Patrick Stickler
Nokia, Finland
patrick.stickler@nokia.com
Received on Thursday, 18 March 2004 06:25:47 UTC