[foaf-dev] FOAF sites offline during cleanup

Christopher Schmidt crschmidt at crschmidt.net
Sun Apr 26 23:10:50 CEST 2009


On Sun, Apr 26, 2009 at 11:01:06PM +0200, Kjetil Kjernsmo wrote:
> Hi danbri!
> 
> Sorry to hear you box was cracked!
> 
> On Sunday 26 April 2009, Dan Brickley wrote:
> > Some points here: recent Java includes APIs for XML Signature. Back
> > in the early FOAF days we signed FOAF files with PGP, and used a
> > wot:assurance link from the doc to the output. See
> > http://usefulinc.com/foaf/signingFoafFiles ... in fact the FOAF spec
> > used to be signed in this way. I would like to see the most common
> > 100 namespaces at least signed using some profile of XML Signature;
> > this would allow schemas to be cached and checked, and could help
> > reduce risks associated with networked retrieval of RDFS/OWL.
> 
> I think it is a good thing that things are signed, but I think that the 
> crucial issue here is not how the files are signed (i.e. whether it is 
> XML Sig or just sign the file isn't important). What is important is 
> how the and by whom the files are checked. 
> 
> I'm taking the trouble to sign my hand-edited FOAF file, but I don't 
> know if anybody has ever checked the signature. Nor am I aware of any 
> applications that check the checks the signature, and much less 
> verifies that the key belongs to me. 

For the record, my RDF bot did, at one point, check signatures, using
wot:assurance. If the sig wasn't correct, the document wouldn't be put
into the triplestore. However, it's true that the trust chain wasn't
checked -- primarily because I had (at the time) no personal connection
to anyone in the web of trust, so I couldn't come up with a way to
verify that information.

In this situation, you're absolutely right: signing has no purpose,
becasue if you can't verify signatures via a social construct
encouraging people to join the WoT, then someone can just create a new
fake key, sign the doc, and no one would ever be the wiser.

> Anybody can sign anything with any key that carries any name, so it is 
> not sufficient, we need to use some WoT to ensure the integrity. I 
> think that if it was common that vocabularies, or instance data were 
> signed, it is also more likely that people would build it a signature 
> check into their applications. 

You would also need to encourage vocabulary maintainers to join th web
of trust. Perhaps this problem  is sufficiently well-solved that this is
not a problem, but it needs to at least be a consideration.

> As of now, we are a pretty closely knit group, so what would get us a 
> long way is if we did keysigning parties as regular events on 
> conferences, and used these keys to verify the vocabularies. 

Agreed.

Regards,
-- 
Christopher Schmidt
Web Developer


More information about the foaf-dev mailing list