[rdfweb-dev] pgp signing

Bill Kearney wkearney99 at h...
Fri Dec 20 12:34:45 UTC 2002

Thanks Dan, comments inline.

From: "Dan Brickley" <danbri at w...>
> > How can we address something like having one foaf:Person within a foaf file
> > recognized as the 'authoritative' entity making the assertions within

Ok, you've suggested that the fragment suggested by Edd for the document's
signature be annotated with a dc:creator that indicates myself as the
rdf:resource. A nice circular bit of linkage. I've added that to my foaf [1]

Does this look about right:
<wot:identify rdf:resource="#wkearney99"/>
<wot:hex_id rdf:value="0x79F14C94" />
<wot:fingerprint rdf:value="2868 8C59 FBEA FABE 123D 1C69 FDBB AC3D 79F1 4C94"
rdf:value="http://www.ideaspace.net/users/wkearney/pubkey.asc" />

And this added for the signature:
<!-- digital signature for this file -->
<rdf:Description rdf:about="">
rdf:resource="http://www.ideaspace.net/users/wkearney/foaf.rdf.asc" />
<dc:creator rdf:resource="#wkearney99" />

I'm wondering about that 'rdf:about="" ' statement that Edd used. Are things
going to recognize that it's a statement about this file? Or should the file's
full URI be specified here?

> It isn't perfect :)
> But if you do the above.,
> 1. you know that the RDF says "there is a person, called bill, with
> such'n'so homepage, mailbox and pgp details"
> 1b. you can check the indicated key and see if it has the same
> fingerprint etc mentioned within the rdf
> 1c. you can check that the RDF was signed by that key, or at least
> that the email address of the signing key matches your expectations
> about the person named as doc author
> 2. you can read the RDF to see if it says who the author of the RDF was.

Right, that follows a nice path and it's not hard to do.

> This reduces us to the familiar PGP situation of knowing that the
> RDF doc was written by the owner of <some_pgp_key>, ie gets us back into the
> world of PGP identity-assuring key signing, key parties, offline verification
> of key fingerprints etc. Several FOAFy people have signed my key,
> checked (in real life) my key fingerprint info is accurate, etc. There is
> plenty overhead in doing this stuff, but the basic machinery is
> well establish, and we can treat RDF signing as just a particular kind of
> document.

Yet another reason to actually interact, key signing!

> ...or something like that. It's 8.15am, haven't got my thinking head on yet...

Made sense to me and it's 7:28am here.

> ps. yes I know this is too complicated as presented to get adopted
> by non geeks. Maybe spam filtering will be the motivator for widespread
> adoption of pgp-like technology?

On one level it is indeed a bit complicated. But once upon a time e-mail "bang
paths" made sending messages a real pain for non-geek types. The complexities
of this can be largely smoothed over such that the users don't really see any of
it. Some mail programs are getting smart enough to track the people to whom
you've sent mail and add then to inbound accept lists. Key management
integration is actually available in most mail clients. It's just rather clumsy
to use.

What is more difficult to manage is encrypted content. This seems to have
really poor integration on the client side of things. At least from the
standpoint of not being as 'automagic' as the non-geek population would

I've pinged a message to Joseph Reagle about all this. I'm hoping he'll offer
some suggestions as well.

Thank Dan,

-Bill Kearney

[1] http://www.ideaspace.net/users/wkearney/foaf.xrdf

More information about the foaf-dev mailing list