[rdfweb-dev] Which Person wrote this FOAF?
Dan Brickley
danbri at w3.org
Tue Jul 29 11:17:28 UTC 2003
* Edd Dumbill <edd at usefulinc.com> [2003-07-29 12:02+0100]
> On Tue, 2003-07-29 at 11:53, Dan Brickley wrote:
> > I'm wondering how this will turn out for tool-assisted FOAF publication.
> > For example, Ecademy and TypePad generate FOAF on behalf of the person
> > described. Firstly, are we happy with the use of foaf:maker as a way
> > for such FOAF to assert that it is 'from' the person it describes. (I
> > am); secondly, it is reasonable to expect such services will ever
> > find a way to allow their users to PGP-sign this content (I'm
> > doubtful).
>
> On the first point, construing foaf:maker to indicate the person from
> whom the data originates seems the only reasonable solution. Otherwise,
> where do you stop? I mean, I used 'vi' on Debian GNU/Linux to make my
> FOAF file. Oh, and the computer was a Dell with serial number
> 8723478936, etc, etc.
Agreed.
I think generatorAgent fills the gap reasonably well, for those that
care to express software version etc. (probably useful actually...)
>
> On the second point, software agents will have to take a view on how
> much they trust information from certain third parties. In writing
> FOAFbot, for instance, I'd be happy to treat Ecademy FOAF files as
> signed by their authors.
Yes, same here.
> The construction of the general infrastructure for supporting third
> party assurances is beyond my ken right now, something finer minds than
> mine have worked on and are working on. I guess we'll figure out how to
> filter down their work into something that practically works for FOAF
> tools. It may be that SAML is a place we could go hunting for clues.
I've only taken the briefest look around SAML. Too much to read already!
But yes, you're right it is a natural spec to investigate here.
A couple of related thoughts:
- similar issues crop up with local bulk-publishing of RDF. Eg. if you
have 100s of .rdf files in your photo metadata collection, how to
indicate your authorship of those without PGP-signing each.
(Edd, didn't you have a hack for this?). Perhaps signing a
table-of-contents RDF file which checksum'd each indiviual RDF?
(thinking out loud:)
- maybe there is a relation (not sure how app-specific) along lines of
wot:delegatesAssurance that relates PGP keys. Example: my PGP key has
fingerprint "FA0C 0D5A 2B3F 808D AA28 2B63 3E15 EF2F 7322 8FE4". I
could use it to PGP-sign some RDF which says that that key stands in
a delegatesAssurance relationship to key(s) from Ecademy, TypePad.
So I would only need a very basic PGP-signed FOAF file that said, in
effect, 'if you see more FOAF signed by these other keys, they're
making claims on my behalf.' (hmm, presume a different key for each
user, rather than one key for all FOAF signed by that service?)
(to feel comfortable with this, I'd want (i) time limits (ii) a
revocation mechanism (iii) parameters for what I'm delegating, ie.
wouldn't want this to be a blank slate for the delegated sites to
say anything at all 'from me' forever. This is a huge problem space,
and one we should tiptoe into rather cautiously...)
Dan
More information about the foaf-dev
mailing list