On Tue, Jul 6, 2010 at 5:17 PM, Bruno Harbulot <bruno.harbu...@manchester.ac.uk> wrote: > > 5. Addressing the issue of signed RDF assertions or comparison with > other repositories of keys. > > So far, we've been using a simple dereferencing of the WebID to do the > verification. It's OK, but it doesn't really improve the security > compared to OpenID. There is potential to improve the security by using > the keys of course. How far do we want to go there?
"Addressing the issue of signed RDF assertions" -> In such generic terms I think it's by far out of scope for foaf+ssl (for a paper on the subject see Jeremy Carroll paper on signing rdf graphs [1]). However I think I very much agree with your intention and I think that from the beginning we should have a way for transitive trust chains. But instead of signing complete graphs or arbitrary extensions we should have a way to say and sign something like "At time X i assume|believe|stronger that Y is the public key of P, see Z for possible updates on this believe", I think this signing should be done largely automatically and even if on a low trust level of "assume" can have great benefits. For example a friend request should be accompanied by such a statement (as in fact this only says that we think we're sending the request to the right person, a single one of these is of little use but many such statements can build a sound foundation for some trust). Cheers, reto 1. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.58.3198&rep=rep1&type=pdf
