[foaf-dev] FOAF sites offline during cleanup
crschmidt at crschmidt.net
Sun Apr 26 23:10:50 CEST 2009
On Sun, Apr 26, 2009 at 11:01:06PM +0200, Kjetil Kjernsmo wrote:
> Hi danbri!
> Sorry to hear you box was cracked!
> On Sunday 26 April 2009, Dan Brickley wrote:
> > Some points here: recent Java includes APIs for XML Signature. Back
> > in the early FOAF days we signed FOAF files with PGP, and used a
> > wot:assurance link from the doc to the output. See
> > http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec
> > used to be signed in this way. I would like to see the most common
> > 100 namespaces at least signed using some profile of XML Signature;
> > this would allow schemas to be cached and checked, and could help
> > reduce risks associated with networked retrieval of RDFS/OWL.
> I think it is a good thing that things are signed, but I think that the
> crucial issue here is not how the files are signed (i.e. whether it is
> XML Sig or just sign the file isn't important). What is important is
> how the and by whom the files are checked.
> I'm taking the trouble to sign my hand-edited FOAF file, but I don't
> know if anybody has ever checked the signature. Nor am I aware of any
> applications that check the checks the signature, and much less
> verifies that the key belongs to me.
For the record, my RDF bot did, at one point, check signatures, using
wot:assurance. If the sig wasn't correct, the document wouldn't be put
into the triplestore. However, it's true that the trust chain wasn't
checked -- primarily because I had (at the time) no personal connection
to anyone in the web of trust, so I couldn't come up with a way to
verify that information.
In this situation, you're absolutely right: signing has no purpose,
becasue if you can't verify signatures via a social construct
encouraging people to join the WoT, then someone can just create a new
fake key, sign the doc, and no one would ever be the wiser.
> Anybody can sign anything with any key that carries any name, so it is
> not sufficient, we need to use some WoT to ensure the integrity. I
> think that if it was common that vocabularies, or instance data were
> signed, it is also more likely that people would build it a signature
> check into their applications.
You would also need to encourage vocabulary maintainers to join th web
of trust. Perhaps this problem is sufficiently well-solved that this is
not a problem, but it needs to at least be a consideration.
> As of now, we are a pretty closely knit group, so what would get us a
> long way is if we did keysigning parties as regular events on
> conferences, and used these keys to verify the vocabularies.
More information about the foaf-dev