PGP Signing FOAF Files

Rationale

One important thing to be able to do is establish some kind of authorship for FOAF files. Without a priori knowledge of a file's authorship, a way is needed of associating an author with the file.

In a simple situation, you can always use the Dublin Core creator property to assign authorship to a file, but there is no way an agent can verify that the information is not bogus.

Instead, we use a PGP signature. A correct PGP signature for a file establishes:

• that the file has not changed since it was signed
• a connection between the file and one or more email addresses

Of course, anyone can concoct a fake PGP key with your email address, just as they can lie about who was the dc:creator of a file. What makes the PGP signature useful is that PGP public keys hook into a web of trust, so you can decide how much you trust what a person with such-and-such a key asserts.

Implementation

1. Linking the signature from your FOAF file

   Declare the wot namespace in your FOAF file:

         xmlns:wot="http://xmlns.com/wot/0.1/"
   

   Add a link to the place your digital signature for that file will be available from:

         <!-- digital signature for this file -->
         <rdf:Description rdf:about="">
            <wot:assurance rdf:resource="foaf.rdf.asc" />
         </rdf:Description>
   

2. Creating the digital signature

   Create a detached ASCII-armored digital signature for your FOAF file. With GPG, it's as easy as gpg -a --detach-sign foaf.rdf This will place the signature in the file foaf.rdf.asc.

Some notes on PGP

If you've not used PGP before, you should read about it. A good place to start is the comp.security.pgp FAQ

As far as software is concerned, I recommend a popular (and free) implementation of PGP, called GPG, also known as GnuPG.

Your PGP public key should be available on the public keyservers. This is so that if someone finds something you have signed, they can get hold of your public key to verify the signature. Uploading is easy. With GPG, just do:

  gpg --keyserver pgp.mit.edu --send-keys <your-email-address>

Indicating authorship inside the file

If you want to indicate authorship explicitly as well as implicitly through PGP, see the directions in Indicating HTML and RDF authorship with FOAF. Without PGP, such assertions are easily faked, but with PGP they provide some explicit indication of authorship, which complements that which a software agent might infer from the PGP signature.