[rdfweb-dev] Which Person wrote this FOAF?

Dan Brickley danbri at w3.org
Tue Jul 29 11:17:28 UTC 2003

* Edd Dumbill <edd at usefulinc.com> [2003-07-29 12:02+0100]
> On Tue, 2003-07-29 at 11:53, Dan Brickley wrote:
> > I'm wondering how this will turn out for tool-assisted FOAF publication.
> > For example, Ecademy and TypePad generate FOAF on behalf of the person
> > described. Firstly, are we happy with the use of foaf:maker as a way
> > for such FOAF to assert that it is 'from' the person it describes. (I
> > am); secondly, it is reasonable to expect such services will ever 
> > find a way to allow their users to PGP-sign this content (I'm
> > doubtful).
> On the first point, construing foaf:maker to indicate the person from
> whom the data originates seems the only reasonable solution.  Otherwise,
> where do you stop?  I mean, I used 'vi' on Debian GNU/Linux to make my
> FOAF file.  Oh, and the computer was a Dell with serial number
> 8723478936, etc, etc.


I think generatorAgent fills the gap reasonably well, for those that
care to express software version etc. (probably useful actually...)
> On the second point, software agents will have to take a view on how
> much they trust information from certain third parties.  In writing
> FOAFbot, for instance, I'd be happy to treat Ecademy FOAF files as
> signed by their authors.

Yes, same here.

> The construction of the general infrastructure for supporting third
> party assurances is beyond my ken right now, something finer minds than
> mine have worked on and are working on.  I guess we'll figure out how to
> filter down their work into something that practically works for FOAF
> tools.  It may be that SAML is a place we could go hunting for clues.

I've only taken the briefest look around SAML. Too much to read already!
But yes, you're right it is a natural spec to investigate here.

A couple of related thoughts:

 - similar issues crop up with local bulk-publishing of RDF. Eg. if you 
   have 100s of .rdf files in your photo metadata collection, how to 
   indicate your authorship of those without PGP-signing each. 
   (Edd, didn't you have a hack for this?). Perhaps signing a
   table-of-contents RDF file which checksum'd each indiviual RDF? 

   (thinking out loud:)
 - maybe there is a relation (not sure how app-specific) along lines of 
   wot:delegatesAssurance that relates PGP keys. Example: my PGP key has 
   fingerprint "FA0C 0D5A 2B3F 808D AA28  2B63 3E15 EF2F 7322 8FE4". I
   could use it to PGP-sign some RDF which says that that key stands in
   a delegatesAssurance relationship to key(s) from Ecademy, TypePad. 
   So I would only need a very basic PGP-signed FOAF file that said, in  
   effect, 'if you see more FOAF signed by these other keys, they're 
   making claims on my behalf.' (hmm, presume a different key for each
   user, rather than one key for all FOAF signed by that service?)

   (to feel comfortable with this, I'd want (i) time limits (ii) a
   revocation mechanism (iii) parameters for what I'm delegating, ie. 
   wouldn't want this to be a blank slate for the delegated sites to 
   say anything at all 'from me' forever. This is a huge problem space,
   and one we should tiptoe into rather cautiously...)


More information about the foaf-dev mailing list