[uf-discuss] Authenticity of Authoritative hCard (was: Re: Vote on this: rel="me self" to indicate an authoritative hCard)

[Henrich C. Poehls]

Hello Ara,

On 02/03/2007 Ara Pehlivanian <ara.pehlivanian at gmail.com> wrote:
> On 2/1/07, John Allsopp <john at westciv.com> wrote:
>> vCard has the property key - and so too does therefore hCard. vCard
>> defines key (more or less, no cnnection this moment to quote directly)
>>
>> Specifies the public key or authentication certificate associated
>> with the entity the vcard represents
> 
> So then that settles the issue of authentication. If a third party
> consumer that reads the hCard wants to validate its authenticity, it
> can simply use the key (if present). It could further match all linked
> hCard keys to validate the chain's integrity. N'est pas?

Not really that easy, once you got the public-key of the person, which I
think could well be stored in the vcards key property, you need a
digital signature in order to verify it's use when generating the
content. A public-key, by definition, could be copied by anyone. It's
the generation of a digital signature over the Microformat that involves
the use of the private/secret-key, that actually shows that the person
to which the public-key belongs to has signed that specific Microformat
(e.g. his/her own hcard).

But then we still need to verify (get some trust) that the public-key
used to verify the digital signature actually belongs to the person we
assumed (e.g. A public-key certificate issued/signed by VeriSign). Only
then we have authenticated the hcard of that person via a digital signature.

I started a brainstorming on the WiKi[1] on how to Digitally Sign
Microformats and store this information again in a Microformat.


Bye,
Henrich

[1] http://microformats.org/wiki/digitalsignature-brainstorming