[rdfweb-dev] pgp signing

Bill Kearney wkearney99 at h...
Fri Dec 20 14:08:06 UTC 2002

> The risk in it being available at the triple level, is that someone who
> uses the foaf universe as an address book (which is something I do) could
> conclude that sending me an email signed to the public key would be
> welcome, it's not I would not read such an email, and because of that I
> want to put barriers between users and my public key.

Whoa, you're right of course, in that barriers to receiving legitimate stuff are
important to avoid. But I don't know of any mail programs that default to
forcing this upon unsuspecting users. I have seen how signed mail gets mangled
when signed to mailing lists. But many mail clients support per-user sending
preferences (like don't send me HTML) and signatures are usually a selectable,
not defaulted, option.

I've had people send me signed HTML. I've simply asked them to resend it
unsigned and not in HTML and to make note of that preference for me in their
addressbook. So far the 3 dozen or so people I've gotten signed mail from have
complied without a problem. I hear you concern I just don't see it being a

> Pointing to a location of the key inside the document we're signing
> strikes me as a rather odd sort of security. We can't trust the document
> until we've checked the signature, but we can only check the document by
> trusting the contents. That doesn't work. the key discovery has to be
> seperate to the document.

The keys are from a third party. This is simply an identifying marker. I do
not see how making note of a key ID in this context has any sort of trust or
security issues. At least none that aren't already extant. Having your public
key does nothing for me except has a handle on what it'd take to find you in the
third party keyserver and to send you something encrypted. I'm not suggesting
that it be construed as a /requirement/ or even a suggestion that you actually
/want/ anything sent to you, encrypted or otherwise.

There is the question of how to note which mbox (or hash) is the preferred
address. Not related here but I suppose that with multiple keys it could be an
issue. My work key vs my personal key, etc.

> The keyservers are searched with the ID of the key, not by searching for
> people,

Nope, I searched for the text "ley" and got your key. Along with noticing a
boatload of other folks named Ley. Now, how would I "tell" that the PGP key is
in any way related to something I come across?

> I do wot:assuarance checking, and have no problems with
> validating without doing any searching for people. (although it doesn't
> work when running under the webservers account)

Indeed, there are going to be trust issues with how the server configurations
let you do things. I didn't say it would be easy.

> I'm not, and never will be _defined by_ RDF, an RDF doc is just a
> collection of statements.

Please, I'm not arguing that whole point. I'm simply focusing on that if folks
wanted to use foaf or something like it there's a high probability they're going
to want some control over making authoritative statements about the contents.
I'm not making some existential argument here.

> > The worst thing people could do with your public key is sign something TO
> Exactly what I'm trying to avoid.

For the purpose of avoiding things be improperly encoded such that your mail
program upchucks on them? Yes, that's certainly something to avoid. I've not
encountered any mail clients that embark on such a path.

> > > I also don't see what's gained by having the information of the
> creator
> > > of the doc in terms of how trusted the document is, the key
> identifies a
> > > person, is that not sufficient?
> >
> > If there's not a way to determine what an individual claims then how
> will it be
> > possible to avoid hijacking someone else's triples?
> You signed it, don't sign something you don't agree with.

Ok then, if I sign a document that contains statements about someone else, how
will someone else be able to untangle who's authoritative about those
statements? I'm not suggesting that signatures start popping up all over the
place. I'm merely looking for a way to express authorship of a foaf:Person in a
verifiable fashion.

-Bill Kearney

More information about the foaf-dev mailing list