[foaf-dev] FOAF sites offline during cleanup

Dan Brickley danbri at danbri.org
Mon Apr 27 20:18:21 CEST 2009


On 27/4/09 20:03, Jeremy Carroll wrote:
> My view is that neither XML sig nor some sort of RDF signature, as envisaged in my paper cited in this thread, are appropriate.
>
> The techniques of both are trying to permit signing of the pertinent information, while ignoring irrelevancies (such as white space [in XML] or triple order [in RDF]).
>
> But why bother?
>
> If you have the original document, and its signature, just as a text file, you can confirm authorship. This solves the actual problems: everything else is just an intellectual exercise.

Yep. So how to record it's signature? In the FOAF scene we used to do 
this: http://usefulinc.com/foaf/signingFoafFiles

Which basically involves being set up as a PGPGPGPG user and typing

	gpg -a --detach-sign myfile.rdf

My thinking was that we really ought to be using XML Sig (some simplest 
piece, ...) since that is more inclusive across X509 and PGP approaches. 
And since java comes with lots of support for it now, we could still do 
it with a nice little portable tool...


> As with all software problems, ask the question: what are we trying to achieve? Then can we achieve that easily with some off the shelf software?&  try and use the simplest off-the-shelf software one can.

(Java plus no extra libraries was quite appealing)

> The presenting problem is that Dan's web site was hacked, and some crucial files for SemWeb are down until he recovers the site.
 >
> What we need (for the future) is reliable copies of those crucial files, that we know are good.
>
> I think that using the original documents, and signatures of those docs as text files achieves the goals.

Yes. Don't get me wrong, I really liked your exploration of how to 
canonicalise RDF graphs that contained bnodes, really clever approach. 
But for this current scenario, signing the source text file is massively 
simpler...

> Of course, the next thing that happens, is what happens when someone's private key is compromised ...

Yup :)

For RDFS/OWL specs, we might reasonably expect two editors to sign each 
republication independently...

Dan


More information about the foaf-dev mailing list