[rdfweb-dev] Newbie trying to catch up

Bill Kearney wkearney99 at h...
Mon Dec 23 15:54:40 UTC 2002

> > Julian, this is great. Is there anyway I can specify that I already
> > have a FOAF file?
> Now I've got two FOAF files, Bill's debate about authority seems all
> the more relevant...

RDF allows a powerful thing when you start 'layering' the triples. Let's say an
individual publishes a foaf document. The triples within that document say just
a few things. Then let's say that a directory or other group service also
publishes a set of triples that add onto the user's own set. This is a good
thing, you could now query for more than just the source data. But how do you
"tell" which source is "the right one"? Or, more subtly, what if the two
sources claim /different/ data for the same triples? Which one is "right" let
alone which one is authoritative?

How, assuming we have a way to 'be authoritative' should we go about
"overriding" any errors that might exist elsewhere? My feeling is that errors
(either via stale, bad or malicious data) are always going to exist. I'd just
like to see a way for a user to be in control of a source and a way for programs
using the data to properly distinguish and obtain said authoritative data. And
for the databases to understand the value of checking and purging.

Thus something like having a PGP (or other) hex_ID is a handy place to start.
If a foaf:Person is found and if it has a hex_ID and the data can be verified to
have been signed with that key then it seems reasonable to assume that the data
is authoritative.

Hmmm, one could post a foaf:Person for someone else that doesn' t have a key,
put a key in it, sign it and wedge it into foaf space as the authoritative one,
ooops.... A little bit of keyserver interaction/verification is going to need
to happen so the user can validate the process.

Fortunately a lot of this infrastructure already exists. The pgp keyservers at
pgp.com and mit are freely accessible.

At this point it seems like some services would benefit from starting to use
keys. Those keys could then be added to your local keychain. You could also be
counter-sign the service's key at the keyserver. Your signing the service keys
in the key authority is one way for anyone using the service to detect if you
know about it and offer some degree of trust in it. Having the service's key in
your local keychain enables you local software to receive, decode and verify
messages from said service.

Maybe one way to get some momentum going is by getting a pgp key and participate
in some key signing efforts.

-Bill Kearney

More information about the foaf-dev mailing list