Parsing FOAF in perl?

Bill Kearney wkearney99 at h...
Mon Dec 9 14:33:24 UTC 2002

>From: "Jim Ley"
> Attribution exists in the foaf database, however, people seem unable to
> sign their foaf accurately, so there's not a lot of point, at the moment
> there are the same number of people with bad signatures as there are with
> good (although it's only uri's that have been updated through the
> interface that are included) without signing no provenance exists, so
> it's pretty irrelevant trying to build it into the interface.

While being able to sign your own foaf is handy, there's nothing that says the
signed foaf is any more authoritative than an unsigned one. I could serve up
documents that were signed that made all sorts of assertions. What would make
them any more authoritative than an unsigned one? That's to say I could make a
foaf:Person for someone completely unrelated to myself and sign it. What's the
method in foaf to link signatures back to an authoritative identity? I don't
want to escalate this up into full-on PKI but there ought to be an interm

> These aggregrating sources, are always going to contain untrustworthy
> data, there's no way in the interface to show where it gets its
> information from, but that isn't the intention of such a view.

I'm having trouble agreeing with that perspective. It seems only natural that
once you "see" a person you'd want to know more and be reasonable sure you're
looking at correct data. Correct in the sense that it's someone's own data not
just synthetically aggregated data. The aggregation is powerful but without
provenance it seems problematic.

> We could easily make a version that only allowed information from trusted
> and only allowed "self description" of all information, but I don't
> really see that such a tool is useful.

I'd think some sort of 'authoritative self description' concept is important to
most folks. There's nothing to stop anyone from creating a foaf:Person about
another and having it be riddled with inaccuracies. I don't know that it's
necessary to force it into a situation that allows only 'trusted' people to
submit data. I'd see it as being more important to have a person's own data
signed in such a way that's detectable as having been from themselves.

> It's been mentioned to me that having foafnaut display a link to "the
> persons own foaf" would be a good idea, without realising that there's no
> way that foafnaut can tell who "owns" some foaf, it's simply a URI.

I see what you mean. In that there's no way to "tell" where the foaf:Person
element came from. In the context of one document I could have ALL the
foaf:Person instances "loose" in top hierarchy. There wouldn't even have to be
any foaf:knows elements. There'd be nothing in the the document to indicate
that any of the foaf:Person elements were any more or less authoritative about
any given person. Or I could serve up a series of foaf:knows elements that made
any number of incorrect associations between completely unrelated parties.

> And exists without a problem, it's just not exposed in the interface (and
> there's no point even thinking about it until people actually start
> signing accurately their foaf!)

Again, how is signing going to make it anymore authoritative? Unless the signed
file can contain only one "this is me" sort of foaf:Person I'm not entirely
clear on the value of signatures. I do see their point but not in the rather
loose way foaf works now. I'm not suggesting that the free form nature of foaf
needs to be altered. I'm simply wondering how someone can "be sure" the data is
actually "authoritative" for the person it describes?

-Bill Kearney

More information about the foaf-dev mailing list