OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Triplets on the Internet

[ Lists Home | Date Index | Thread Index ]

> On Wed, 2004-06-16 at 10:53, Danny Ayers wrote:
> > Yep, fyi, Edd Dumbill has done a little guide to PGP-signing FOAF 
> > profiles [1]. Note the caveat:
> > 
> > [[
> > Of course, anyone can concoct a fake PGP key with your email address, 
> > just as they can lie about who was the |dc:creator| of a file. What 
> > makes the PGP signature useful is that PGP public keys hook into a web 
> > of trust, so you can decide how much you trust what a person with 
> > such-and-such a key asserts.
> > ]]
> > 
> > Signing alone almost certainly isn't the whole solution, but one piece 
> > in a greater puzzle.
> > 
> 
> This is very true. If I have a picture annotation that claims to be from
> "Fred" that says "This is a picture of the summit of Everest". I have to
> know:
> 
> 1) Who is Fred ?
> 2) Did this really come from that Fred (and not some person pretending
> to be Fred) ?
> 3) Did someone else modify it in transit ?
> 4) What authority does Fred have to speak about this picture ?
> 5) What authority does Fred have to identify pictures of the summit of
> Everest ?
> 
> Certificates and signing can only really address 1, 2 and 3 and can
> really only partially answer 1 in terms of information held by the
> certificate authority.

There is a whole other aspect, too.  Suppose that you decide that Fred's credentials are really in order, to what extent can you believe what he says?  A person can be untrustworthy on one or many subjects even though his identity is well-established.

Cheers,

Tom P







 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS