[OpenID] cryptographics web of trust
John Kemp
frumioj at mac.com
Thu Aug 9 17:50:11 UTC 2007
Hi Henry,
Story Henry wrote:
> Hi, following some of the conversations I had on the openid forums, I
> have read up about web security and used that new gained knowledge to
> enhance my foaf file with a link to my public PGP key and used that
> to sign my foaf file.
And how did you actually sign the file? Did you simply take the text of
the rdf+n3 and rdf+xml files and do a signature of those "strings"? In
which case, if I wanted to use a different XML parser than yours (which
might handle whitespace differently for example) might your signature
not appear to be broken? Or did you make canonical XML representations
of the files before signing them?
Regarding your link to Jeremy Carroll's paper, it seems his solution is
to make a canonical RDF graph, "serialize" this as XML, and then use
(not explicitly stated AFAICT, but alluded to) W3C XML Digital Signature
to perform the actual signature.
BTW, I noticed in your blog entry that the following statements:
> <http://bblfish.net/people/henry/card.rdf>
> wot:assurance <http://bblfish.net/people/henry/card.rdf.asc> ;
> awol:type "application/rdf+xml" .
> <http://bblfish.net/people/henry/card.n3>
> wot:assurance <http://bblfish.net/people/henry/card.n3.asc> ;
> awol:type "text/rdf+n3" .
mentioning MIME types, are actually not correct - the signed RDF/XML
files mentioned in those URLs, appear to be actually binary octets
(which can't necessarily be read by things looking for UTF8 for example)
> Using this it is easy to see how one can create
> a semantic cryptographic web of trust.
>
> http://blogs.sun.com/bblfish/entry/cryptographic_web_of_trust
>
> There is a lot more to add for sure, but this is a good starting
> point. Great fun too.
Very nice work on this!
Regards,
- John
More information about the general
mailing list