[rdfweb-dev] Time's running out?

Dan Brickley danbri at w3.org
Tue Aug 12 08:31:44 UTC 2003

* Julian Bond <julian_bond at voidstar.com> [2003-08-12 08:48+0100]
> Libby Miller <Libby.Miller at bristol.ac.uk> wrote:
> >mbox is as yet formally unconstrained as Julian points out.
> I'm seeing foaf out there with some mbox and some mbox_sha1sum. I've 
> been effectively using mbox as the primary key to people but actually 
> using the obfuscated version in mbox_sha1sum. So searching for whether 
> I've seen a specific person requires building an array of any 
> mbox_sha1sum found plus any mbox found after hashing them. I then 
> iterate through the array looking for values in a person_mbox link 
> table.
> Which is all to say that mbox and mbox_sha1sum are interchangeable and 
> refer to the same thing. So their definitions ought to be very similar.

I agree 
(although interchangeable is a risky way of putting it; you 
can't use foaf:mbox_sha1sum for all the purposes you'd use
foaf:mbox, that's it's appeal!).

Bug report http://rdfweb.org/issues/show_bug.cgi?id=16 addresses this.

http://xmlns.com/foaf/doc/mbox.en (new documentation for foaf:mbox)
The <code>foaf:mbox</code> property is a relationship between the owner
of a mailbox and 
a mailbox. These are typically identified using the mailto: URI scheme
(see <a 
href="http://ftp.ics.uci.edu/pub/ietf/uri/rfc2368.txt">RFC 2368</a>).

Note that there are many mailboxes (eg. shared ones) which are not the 
<code>foaf:mbox</code> of anyone. Furthermore, a person can have
<code>foaf:mbox</code> properties. 

In FOAF, we often see <code>foaf:mbox</code> used as an indirect way of
identifying its 
owner. This works even if the mailbox is itself out of service (eg. 10
years old), since 
the property is defined in terms of its primary owner, and doesn't
require the mailbox to 
actually be being used for anything.

Many people are wary of sharing information about their mailbox
addresses in public. To 
address such concerns whilst continuing the FOAF convention of
indirectly identifying 
people by referring to widely known properties, FOAF also provides the 
<code>foaf:mbox_sha1sum</code> mechanism, which is a relationship
between a person and 
the value you get from passing a mailbox URI to the SHA1 mathematical

The mbox:sha1sum doc says:

A <code>foaf:mbox_sha1sum</code> of a <code>foaf:Person</code> is a
textual representation of 
the result of applying the SHA1 mathematical functional to a 'mailto:'
identifier (URI) for an 
Internet mailbox that they stand in a <code>foaf:mbox</code>
relationship to.

In other words, if you have a mailbox (<code>foaf:mbox</code>) but don't
want to reveal its 
address, you can take that address and generate a
<code>foaf:mbox_sha1sum</code> representation 
of it. Just as a <code>foaf:mbox</code> can be used as an indirect
identifier for its owner, we 
can do the same with <code>foaf:mbox_sha1sum</code> since there is only
<code>foaf:Person</code> with any particular value for that property.

Many FOAF tools use <code>foaf:mbox_sha1sum</code> in preference to
exposing mailbox 
information. This is usually for privacy and SPAM-avoidance reasons.
Other relevant techniques 
include the use of PGP encryption (see <a
href="http://usefulinc.com/foaf/">Edd Dumbill's 
documentation</a>) and the use of <a 
whitelists</a> for 
mail filtering.

Code examples for SHA1 in C#, Java, PHP, Perl and Python can be found <a 
href="http://www.intertwingly.net/blog/1545.html">in Sam Ruby's 
weblog entry. Remember to include the 'mailto:' prefix, but no trailing 
whitespace, when computing a <code>foaf:mbox_sha1sum</code> property.
<!-- what about Javascript. move refs to wiki maybe. -->

Comments welcome.


More information about the foaf-dev mailing list