[rdfweb-dev] x.509/xml signature

Doug Ransom doug_ransom at t...
Mon Sep 30 13:51:05 UTC 2002

> -----Original Message-----
> From: Edd Dumbill [mailto:edd at u...]
> Sent: September 29, 2002 10:21 PM
> To: rdfweb-dev at yahoogroups.com
> Subject: Re: [rdfweb-dev] x.509/xml signature
> On Sun, 2002-09-29 at 16:36, Doug wrote:
> > I think it would be really cool if FOAF supported xml signatures
> > that can be verified using the x.509 pki.
> >
> > I know some are partial to PGP, but the CA mechansims used x.509
> > give me much more comfort than a PGP certification path.
> >
> > I use the thawte web of trust ad my CA (because its free)
> > http://www.thawte.com/html/COMMUNITY/wot/
> >
> > Any thoughts?
> Naturally, support for multiple types of signatures might be useful.
> The best way to see this sort of thing implemented is to send in code :)
> I don't know much about x509, are there common code libraries around to
> do verification? I see 'gnutls' implements (restricted) support, but I
> can't see anything more than that, like scripting language bindings.

I think x.509 is natively supported in windows, or least available on any PC
with Internet explorer. Since s/mime and SSL/TLS
are based on x.509 I would guess there is good support for other platforms
as well.

> The type of the signature could easily be expressed in a similar vein to
> what we use now by adding more properties into the
> http://xmlns.com/wot/0.1/ namespace.
> Thinking into the future, more useful than XML signature would be RDF
> signature: where a bunch of RDF statements are canonicalized and then
> signed. Currently we only sign an XML-serialization (one of many
> possible serializations) of the information expressed in a FOAF file.

That makes sense to me. I am not overly familliar with rdf applications
(although I am interested).
What would use case be for signed RDF.

For example, in XML signature, a use case is:
- I sign a document
- I send the signature to a notary, who concatenates timestamp and their own
signature (a witness)
- I add the witness tags to the xml documnet.
- someone else can verify I did sign the document and that signature was
witnessed on a certain date.

What would we do with RDF if we had RDF signature? Is there currently a
canonicalized RDF?

An alternate approach for RDF would be to serialze RDF in a canonical format
(i.e. have a canonical serialization). I can't say if this is a good idea?

> -- Edd

More information about the foaf-dev mailing list