[uf-discuss] Authenticity of Authoritative hCard

Derrick Lyndon Pallas derrick at pallas.us
Fri Feb 9 08:19:12 PST 2007

> On 02/03/2007 Ara Pehlivanian <ara.pehlivanian at gmail.com> wrote:
>> So then that settles the issue of authentication. If a third party
>> consumer that reads the hCard wants to validate its authenticity, it
>> can simply use the key (if present). It could further match all linked
>> hCard keys to validate the chain's integrity. N'est pas?

> Henrich C. Poehls wrote:
> But then we still need to verify (get some trust) that the public-key
> used to verify the digital signature actually belongs to the person we
> assumed (e.g. A public-key certificate issued/signed by VeriSign). Only
> then we have authenticated the hcard of that person via a digital signature.
How many people actually pay the VeriSign fee to have their key-pair 
signed? Not anyone I know. And what does it give us that we don't 
already have? If you're going to follow chains to hCards,

1.) anyone can copy the signature and insert it into an identical hCard 
on another site, so you have to make sure that authoritative URL is 
somewhere in the hCard and marked as authoritative

2.) anyone can link to an hCard pretending to be the owner, so you have 
to check the XFN links to "me"; therefore, users have to update and 
re-sign their signature every time a resource (they want to be in the 
chain) links to their "authoritative" hCard; e.g. blog posts, which they 

So we do a lot of extra work for not much benefit, except a false sense 
of security because a big company is convinced that the person we think 
we're looking at is (they think) the person they think we're looking at.

More information about the microformats-discuss mailing list