[foaf-dev] FOAF sites offline during cleanup

Kjetil Kjernsmo kjetil at kjernsmo.net
Sun Apr 26 23:01:06 CEST 2009


Hi danbri!

Sorry to hear you box was cracked!

On Sunday 26 April 2009, Dan Brickley wrote:
> Some points here: recent Java includes APIs for XML Signature. Back
> in the early FOAF days we signed FOAF files with PGP, and used a
> wot:assurance link from the doc to the output. See
> http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec
> used to be signed in this way. I would like to see the most common
> 100 namespaces at least signed using some profile of XML Signature;
> this would allow schemas to be cached and checked, and could help
> reduce risks associated with networked retrieval of RDFS/OWL.

I think it is a good thing that things are signed, but I think that the 
crucial issue here is not how the files are signed (i.e. whether it is 
XML Sig or just sign the file isn't important). What is important is 
how the and by whom the files are checked. 

I'm taking the trouble to sign my hand-edited FOAF file, but I don't 
know if anybody has ever checked the signature. Nor am I aware of any 
applications that check the checks the signature, and much less 
verifies that the key belongs to me. 

Anybody can sign anything with any key that carries any name, so it is 
not sufficient, we need to use some WoT to ensure the integrity. I 
think that if it was common that vocabularies, or instance data were 
signed, it is also more likely that people would build it a signature 
check into their applications. 

As of now, we are a pretty closely knit group, so what would get us a 
long way is if we did keysigning parties as regular events on 
conferences, and used these keys to verify the vocabularies. And I do 
happen to think that this is the crucial point, that we actually gain 
the ability to check properly. Then, it would be very interesting if 
the crawlers of e.g. Garlik and Sindice did raise alarms if a signature 
fails.

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Programmer / Astrophysicist / Ski-orienteer / Orienteer / Mountaineer
kjetil at kjernsmo.net
Homepage: http://www.kjetil.kjernsmo.net/     OpenPGP KeyID: 6A6A0BBC


More information about the foaf-dev mailing list