Re: Report on Beijing from Phil Archer on 2008-04-30 (public-powderwg@w3.org from April 2008)

From: Phil Archer <parcher@icra.org>
Date: Wed, 30 Apr 2008 09:43:15 +0100
To: Public POWDER <public-powderwg@w3.org>
Message-ID: <48183123.9000206@icra.org>

Thanks Kai, and thanks for flying the POWDER flag in Beijing.

I get asked the same question and my answer is usually a version of:

There are several methods of adding security - XML Sig, SSL etc. And it 
depends on the application which is the most appropriate. The claim that 
a Web site offers good ideas for children's parties needs a different 
level of security than the claim that the advice on the Web site is 
useful for defusing a nuclear warhead. /Therefore/ we don't prescribe a 
single method.

But... as you say, the question does keep coming up. Section 4 of the DR 
doc [1] attempts to answer it and highlights several methods:

1. wdr:authenticate - which links a FOAF file to a description of a 
service - any service - through which one can authenticate an DR created 
by that author.

2. Certification using a DR - in which a hash of the (single) thing 
described is part of the description.

3. supportedBy - a pointer from a DR to some other source of information 
that will offer a similar description.

4. The source of the DR - if you get your DR directly from 
technosite.es, notwithstanding a man in the middle attack, you can be 
pretty sure that Technosite was the publisher of the DR.

5. Machine Learning - Since DRs make it easy to use controlled 
vocabularies, and controlled vocabularies make it easy to train contnet 
analysers.

Those who know the WG members will be able to discern where these 
approaches all come from. In addition, Andrea has suggested we make use 
of Dan Brickley's 'other vocabulary', the Web of trust 
http://xmlns.com/wot/0.1/ and, yes, XML Sig. I'd be very happy to see 
these in the doc!

Phill

[1] http://www.w3.org/TR/2008/WD-powder-dr-20080317/#trust

Scheppe, Kai-Dietrich wrote:
> Phil had asked about China and the WWW2008 conference.
> 
> Yes, there is something to report.
> I gave a short presentation on POWDER.  
> It went fine, people seemed interested, there were few questions.
> 
> However, one point came up in several conversations with several people
> - that of security.
> 
> Basically I was asked:  
> 
>       How do you ensure that the DR which has been written does in fact
> come from that person or entity?
> 
> I believe we had, a long time ago, discussed digital signatures, but
> wasn't sure what had come of all that.
> 
> 
> Question to the group:  Will we deal with that? And if yes, how?
> 
> The easy way out would be to say no, trust is up to the user and we
> won't bother, but I was struck by how this point came up several times
> independently, thus I think it is not something to be brushed aside.
> 
> -- Kai
> 
>

Received on Wednesday, 30 April 2008 08:44:05 UTC