[OpenID] cryptographics web of trust

Story Henry henry.story at bblfish.net
Thu Aug 9 23:58:39 UTC 2007 

Hi John, it is 2 am here, and your questions are easy to answer so  
I'll answer them
right away before going to bed...

I'll answer the other questions tomorrow.

On 9 Aug 2007, at 19:50, John Kemp wrote:

> Hi Henry,
>
> Story Henry wrote:
>> Hi, following some of the conversations I had on the openid forums, I
>> have read up about web security and used that new gained knowledge to
>> enhance my foaf file with a link to my public PGP key and used that
>> to sign my foaf file.
>
> And how did you actually sign the file? Did you simply take the  
> text of
> the rdf+n3 and rdf+xml files and do a signature of those "strings"?

Exactly.

> In
> which case, if I wanted to use a different XML parser than yours  
> (which
> might handle whitespace differently for example) might your signature
> not appear to be broken? Or did you make canonical XML representations
> of the files before signing them?

You would not check the signature against whatever your xml parser  
returned
(though I would suggest using one of the many rdf parsers available) but
on the representation returned by getting either card.rdf or card.n3.
The encryption is on the document as a string, not on the content of  
the document.
In fact card.rdf and card.n3 are foaf:Documents.

But I can see that this can be a tricky question. Something worth  
looking into
in more detail.

> Regarding your link to Jeremy Carroll's paper, it seems his  
> solution is
> to make a canonical RDF graph, "serialize" this as XML, and then use
> (not explicitly stated AFAICT, but alluded to) W3C XML Digital  
> Signature
> to perform the actual signature.

Ah. I did not notice the W3C XML signature part.
But you are right about the canonicalization part. In the end, this  
might be the
strictly correct solution. It would require a new relation URI, and  
software to make
it easy to parse.


>
> BTW, I noticed in your blog entry that the following statements:
>
>> <http://bblfish.net/people/henry/card.rdf>
>>        wot:assurance <http://bblfish.net/people/henry/card.rdf.asc> ;
>>        awol:type "application/rdf+xml" .
>> <http://bblfish.net/people/henry/card.n3>
>>        wot:assurance <http://bblfish.net/people/henry/card.n3.asc> ;
>>        awol:type "text/rdf+n3" .
>
> mentioning MIME types, are actually not correct - the signed RDF/XML
> files mentioned in those URLs, appear to be actually binary octets
> (which can't necessarily be read by things looking for UTF8 for  
> example)

If you look at the graph at the end of the blog, you will see that  
these relations
are relations from the foaf file to the mime type. What is said is

>> <http://bblfish.net/people/henry/card.rdf> awol:type "application/ 
>> rdf+xml" .


ie. card.rdf has mime type application/rdf+xml, which is correct.
the subject of awol:type is not card.rdf.asc but card.rdf

On the other hand, I am not sure what the correct mime type is for  
the public key or for the
digital signature. I probably need to fix those.

>
>> Using this it is easy to see how one can create
>> a semantic cryptographic web of trust.
>>
>> http://blogs.sun.com/bblfish/entry/cryptographic_web_of_trust
>>
>> There is a lot more to add for sure, but this is a good starting
>> point. Great fun too.
>
> Very nice work on this!

Thanks. :-)

>
> Regards,
>
> - John

More information about the general mailing list