[foaf-dev] FOAF sites offline during cleanup

Simon Reinhardt simon.reinhardt at koeln.de
Mon Apr 27 20:45:34 CEST 2009


I wonder, in which cases is signing appropriate anyway?
For handwritten FOAF and ontology files, sure. How about dynamically generated instance data? Should every DBpedia description resource be signed? In every representation? With dynamically generated stuff you can never be sure how your serialiser will output it.
Especially if we stick to static files then XML sig can't be the way to go - I don't want to write ontologies in RDF/XML anymore. :-)

Regards,
  Simon


Jeremy Carroll wrote:
> Yes in practice XML sig may have advantages over simple text file signing. But they are not particularly the advantages advertized for XML sig.
> 
> The RDF canonicalization stuff was interesting, but doesn't seem very practically relevant.
> 
> Jeremy
> 
> 
>> -----Original Message-----
>> From: semantic-web-request at w3.org [mailto:semantic-web-request at w3.org]
>> On Behalf Of Dan Brickley
>> Sent: Monday, April 27, 2009 11:18 AM
>> To: Jeremy Carroll
>> Cc: 'foaf-dev Friend of a'; foaf-protocols at lists.foaf-project.org;
>> 'Semantic Web'; 'Thomas Roessler'
>> Subject: Re: [foaf-dev] FOAF sites offline during cleanup
>> 
>> On 27/4/09 20:03, Jeremy Carroll wrote:
>> > My view is that neither XML sig nor some sort of RDF signature, as
>> envisaged in my paper cited in this thread, are appropriate.
>> >
>> > The techniques of both are trying to permit signing of the pertinent
>> information, while ignoring irrelevancies (such as white space [in XML]
>> or triple order [in RDF]).
>> >
>> > But why bother?
>> >
>> > If you have the original document, and its signature, just as a text
>> file, you can confirm authorship. This solves the actual problems:
>> everything else is just an intellectual exercise.
>> 
>> Yep. So how to record it's signature? In the FOAF scene we used to do
>> this: http://usefulinc.com/foaf/signingFoafFiles
>> 
>> Which basically involves being set up as a PGPGPGPG user and typing
>> 
>> 	gpg -a --detach-sign myfile.rdf
>> 
>> My thinking was that we really ought to be using XML Sig (some simplest
>> piece, ...) since that is more inclusive across X509 and PGP
>> approaches.
>> And since java comes with lots of support for it now, we could still do
>> it with a nice little portable tool...
>> 
>> 
>> > As with all software problems, ask the question: what are we trying
>> to achieve? Then can we achieve that easily with some off the shelf
>> software?&  try and use the simplest off-the-shelf software one can.
>> 
>> (Java plus no extra libraries was quite appealing)
>> 
>> > The presenting problem is that Dan's web site was hacked, and some
>> crucial files for SemWeb are down until he recovers the site.
>>  >
>> > What we need (for the future) is reliable copies of those crucial
>> files, that we know are good.
>> >
>> > I think that using the original documents, and signatures of those
>> docs as text files achieves the goals.
>> 
>> Yes. Don't get me wrong, I really liked your exploration of how to
>> canonicalise RDF graphs that contained bnodes, really clever approach.
>> But for this current scenario, signing the source text file is
>> massively
>> simpler...
>> 
>> > Of course, the next thing that happens, is what happens when
>> someone's private key is compromised ...
>> 
>> Yup :)
>> 
>> For RDFS/OWL specs, we might reasonably expect two editors to sign each
>> republication independently...
>> 
>> Dan
> 
> 
> 
> 



More information about the foaf-dev mailing list