[rdfweb-dev] pgp signing

[Dan Brickley]

* Bill Kearney <wkearney99 at h...> [2002-12-20 00:13-0500]
> Hi all,
> 
> I'm a little puzzled about how Edd's example of signing a foaf handles anything
> being considered authoritative. Not that it's wrong, it's just that signing the
> entire file says nothing about it having any real authority over what it
> contains.
> 
> How can we address something like having one foaf:Person within a foaf file
> recognized as the 'authoritative' entity making the assertions within itself?

The way I've always thought we should do it, and I think this is the 
same as the technique Edd has documented (though maybe he didn't 
write up this aspect) is as follows.

1. in your foaf, mention your pubKeyAddress alongside other 
identifying details that ties in with the key.
(I'd suggest we include the key fingerprint, though that isn't necessary).

2. In your FOAF, say that the current doc has a dc:creator of (that person); 
or if you write things around the other way, say that you foaf:made your 
FOAF file. Either way, make an assertion in the signed RDF that says 
you wrote the RDF. 


> 
> That is, how can I 'indicate' that the signed document contains /my/ foaf:Person
> and I'm making claim that the contents of it are authoritative? How can I say:
> "Regardless of what triples you come across elsewhere, these are the
> authoritative ones". I'm sure there's several issues to consider with how a
> client reading this foaf is going to have any real reason to believe it's
> assertions. I'm not looking for perfection. .

It isn't perfect :)
But if you do the above.,
1. you know that the RDF says "there is a person, called bill, with 
such'n'so homepage, mailbox and pgp details"
1b. you can check the indicated key and see if it has the same 
fingerprint etc mentioned within the rdf
1c. you can check that the RDF was signed by that key, or at least
that the email address of the signing key matches your expectations 
about the person named as doc author
2. you can read the RDF to see if it says who the author of the RDF was.

This reduces us to the familiar PGP situation of knowing that the 
RDF doc was written by the owner of <some_pgp_key>, ie gets us back into the 
world of PGP identity-assuring key signing, key parties, offline verification 
of key fingerprints etc. Several FOAFy people have signed my key, 
checked (in real life) my key fingerprint info is accurate, etc. There is
plenty overhead in doing this stuff, but the basic machinery is 
well establish, and we can treat RDF signing as just a particular kind of 
document.
> 
> I could see this as being an important issue to most people.
> 
> I'm open to suggestions.

If you're consuming such data, and you have a particular person in mind
(for eg., me), you might do something like this:

1. you're looking for self-asserted info by the person who uses the 
milbox danbri at w...
2. you find some candidate RDF docs by looking for a couple of 
things: docs that have an assertion that their dc:creator was me (for 
any one of several ways of identifying me, most simply by one of my 
mailboxes or my homepage).
3. for each of those, you look to see if there is a wot:assurance property
relating that document to a signature
4. ...and you look for info (via various methods -- need details here) 
to find keys that that person is known to use
5. ...and then check to see if any of the wot:assurance signings were
legit (ie. the data unchanged since signed) and by a key owned by 
that person.


...or something like that. It's 8.15am, haven't got my thinking head on yet...

hope this helps,

dan

ps. yes I know this is too complicated as presented to get adopted 
by non geeks. Maybe spam filtering will be the motivator for widespread 
adoption of pgp-like technology?