[OpenID] cryptographics web of trust

[Peter Williams]

Your card has the following of lines:
 
<http://danbri.org/danbri-pubkey.txt> <http://xmlns.com/wot/0.1/assurance> <http://bblfish.net/people/henry/danbri.pubkey.asc.asc>.
 
<http://danbri.org/foaf.rdf#danbri> a foaf:Person;
 foaf:name "Dan Brickley".

 
Two questions!
 
(a) a foaf:name is the literal ("Dan Brickley".) I see folks referring collaquially to http://danbri.org/foaf.rdf#danbri as the foaf:name too ( in the context of the above). What is http://danbri.org/foaf.rdf#danbri in foaf terms? Obviously is a subject in triple terms.
 
(b) given http://danbri.org/foaf.rdf#danbri's Person instance doesnt happen to have a wot:pubkeyaddress, some tool must be inferring it.
 
And your  "<remote.txt> wot:assurance <local.asc.asc>." line seems to be cue.
 
Im guessing some tool on importing a friend's Person fields is (i) locally rewriting the data pulled from http://danbri.org/danbri-pubkey.txt as http://bblfish.net/people/henry/danbri.pubkey.asc.asc>.and (ii) adding an rule allow a local wot/assurance tool to know that it has access a local source of the pubkey  (that is "more locally-trusted"  replica than the web original)
 
I think you said this once somewhere.:You pull the pubkeys, store them localy, and thereby endorse them -- at least to yourself. Others may also rely on your endorsement, by referring to your replica of his pubkey.
 
As long as pubkeys dont change that often the replicas are uptodate.
 
-----
 
This gets back to the 1996 case of a bankcrupt merchant having a $400 value public/private SSL key pair "asset" that became the $2 value property of the guy who bought this asset, during asset liquidation. The buyer launched his SSL website, saving $398 by not having to paying a $400 fee to V**S**gn to get a V*S*-endorsed SSL cert on his site. Both V*S* and V**S**gn went after him, unsuccessfully. He had an transferable asset, that he bought fair and square during a court-ordered liquidation. Yes V**S**gn revoked it in their local database. But so what? Noone outside the military and microsoft kernel driver loader checks cert revocation, even today.

------

There is possibly an important openid URI issue underlying this thread . But lets discuss the issue first in terms of your actual file.

 


> What I don't understand is the part of your scheme (and specially I
> don't understand some of the lines in the card's N3 that seem to 
> rewrite
> file extensions) that allow me to refer to your copy of your friends'
> public keys (or at least your counter-signature of those public keys)
> resident on the same host as that from which I pull your card.

Which lines in particular?