Re: RDF and XML digital signatures (was: RDF Primer Comments) from Graham Klyne on 2002-04-27 (www-rdf-comments@w3.org from April to June 2002)

From: Graham Klyne <GK@ninebynine.org>
Date: Sat, 27 Apr 2002 10:20:36 +0100
To: "Garret Wilson" <garret@globalmentor.com>
Cc: "Frederick Hirsch" <hirsch@fjhirsch.com>, <www-rdf-comments@w3.org>, "Joseph M. Reagle Jr." <reagle@w3.org>
Message-Id: <5.1.0.14.2.20020427100326.00a0c7d0@joy.songbird.com>

At 01:30 PM 4/26/02 -0700, Garret Wilson wrote:
>----- Original Message -----
>From: "Frederick Hirsch" <hirsch@fjhirsch.com>
>To: <www-rdf-comments@w3.org>; <hirsch@fjhirsch.com>
>Sent: Friday, April 26, 2002 12:59 PM
>Subject: RDF Primer Comments
>
> > 17. At the end of 5.3, what is to prevent a spammer from creating RDF
> > Spam? Perhaps a statement about the use of XML Digital Signatures in
> > conjunction with RDF to achieve this goal would be useful.
> >
> > "Combining XML digital signatures with RDF descriptions to ensure that
> > you only receive desired information from appropriate sources should
> > lead toward the elimination of spam."
>
>Coincidentally, that issue just came up for me today.
>
>Is there someone working on an RDF Schema for W3C XML Signatures? It would
>be great to have an RDF ontology for signatures, so that would could specify
>signatures within an RDF description instance.

Sorry, no answers for you, but this sounds like the sort of think that 
Joseph Reagle might be thinking about...

If you come across anything I'd be interested to know about it.  (I've 
started trying to collect a list of RDF schemas in use, and have so far 
found surprisingly few given the volume of discussion about RDF.)

On the main question, I think there are three distinct issues:

(a) how to sign RDF data.

(b) how to use RDF to describe signatures.

(c) using RDF to describe contextual information about the application of a 
signature to a document

Regarding (a), I take the view that a signature applies to a string of bits 
or bytes, and regard attempts to sign the abstract content as unnecessarily 
problematic.  So S/MIME, PGP/MIME or XMLDSIG all work just fine by my 
reckoning.

I think (b) is an interesting project, if nobody's done anything about it 
already.  I would suggest a goal would be that an RDF graph can describe 
the bare assurance conveyed by a given digital signature on some content (a 
document that encoded information <foo> was signed by identity <bar> using 
a signature method <fie> and a key with certificate attributes <foe> 
certifies by authority <fum> ... etc.)

I think (c) is a kind of extension of (b), to try and capture the assurance 
that is intended by the signature ("I the signer believe this to be true", 
or "I the signer agree to the terms of the contract expressed by this 
document", or "I the signer think the person who wrote this content is a 
fraudster and refuse to be bound in any way by its content", etc.)  Some 
time ago, Joseph posted some ideas to encode this kind of information (in 
relation to P3P) in a digital signature, using RDF [1].

#g

[1] http://www.w3.org/TR/2001/NOTE-xmldsig-p3p-profile-20010202/

-------------------
Graham Klyne
<GK@NineByNine.org>

Received on Saturday, 27 April 2002 05:30:41 UTC