- From: Reto Bachmann-Gmür <reto@gmuer.ch>
- Date: Tue, 6 Jul 2010 21:33:27 +0200
- To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
- Cc: Thomas Roessler <tlr@w3.org>, Tim Berners-Lee <timbl@w3.org>, Harry Halpin <hhalpin@w3.org>, foaf-protocols@lists.foaf-project.org, Ivan Herman <ivan@w3.org>, Ian Jacobs <ij@w3.org>, Jeffrey Jaff <jeff@w3.org>, www-archive <www-archive@w3.org>, Henry Story <henry.story@gmail.com>
On Tue, Jul 6, 2010 at 5:17 PM, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> wrote: > > 5. Addressing the issue of signed RDF assertions or comparison with > other repositories of keys. > > So far, we've been using a simple dereferencing of the WebID to do the > verification. It's OK, but it doesn't really improve the security > compared to OpenID. There is potential to improve the security by using > the keys of course. How far do we want to go there? "Addressing the issue of signed RDF assertions" -> In such generic terms I think it's by far out of scope for foaf+ssl (for a paper on the subject see Jeremy Carroll paper on signing rdf graphs [1]). However I think I very much agree with your intention and I think that from the beginning we should have a way for transitive trust chains. But instead of signing complete graphs or arbitrary extensions we should have a way to say and sign something like "At time X i assume|believe|stronger that Y is the public key of P, see Z for possible updates on this believe", I think this signing should be done largely automatically and even if on a low trust level of "assume" can have great benefits. For example a friend request should be accompanied by such a statement (as in fact this only says that we think we're sending the request to the right person, a single one of these is of little use but many such statements can build a sound foundation for some trust). Cheers, reto 1. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.58.3198&rep=rep1&type=pdf
Received on Tuesday, 6 July 2010 19:33:56 UTC