[uf-discuss] Authenticity of Authoritative hCard

Henrich C. Poehls newsletter at 2000grad.com
Thu Feb 15 10:11:27 PST 2007

From: Derrick Lyndon Pallas <derrick at pallas.us>
Date: 02/09/2007 5:19:12 PM +0100
>> On 02/03/2007 Ara Pehlivanian <ara.pehlivanian at gmail.com> wrote:
>>> So then that settles the issue of authentication. If a third party
>>> consumer that reads the hCard wants to validate its authenticity, it
>>> can simply use the key (if present). It could further match all linked
>>> hCard keys to validate the chain's integrity. N'est pas?
>> Henrich C. Poehls wrote:
>>   But then we still need to verify (get some trust) that the public-key
>> used to verify the digital signature actually belongs to the person we
>> assumed (e.g. A public-key certificate issued/signed by VeriSign). Only
>> then we have authenticated the hcard of that person via a digital
>> signature.
> How many people actually pay the VeriSign fee to have their key-pair
> signed? Not anyone I know. 

Self-signed certificates, Company Email-Certificates, or PGP's Web of
Trust work for many other applications (e.g. email, chat, ...).
I see no reason why they would not be useful "authenticating" the
content we author.

> And what does it give us that we don't
> already have? If you're going to follow chains to hCards,
> 1.) anyone can copy the signature and insert it into an identical hCard
> on another site, so you have to make sure that authoritative URL is
> somewhere in the hCard and marked as authoritative

If the hcard copied is "identical" than it would of course have the same
URL the original hcard had, if it is not "identical" (e.g. spoofed,
modified) than a copied signature would not validate.
Thinking of services that for example aggregate hcards I see value in
having the re-displayed hcard (copied and re-published on another site)
still signed by the original author.

> 2.) anyone can link to an hCard pretending to be the owner, so you have
> to check the XFN links to "me"; therefore, users have to update and
> re-sign their signature every time a resource (they want to be in the
> chain) links to their "authoritative" hCard; e.g. blog posts, which they
> authored

For Blog posts I would rather add a signature over the whole Blog post
or Blog comment, than just over my hcard. Or maybe even over both.
In general I think the signature shall cover the content you want to
"secure". Everyone then can verify this without the need to go and
search and trace the links to find an "authoritative" content. If a
viewer finds the content at hand sufficient enough you can verify the
signature. Only the first time the viewer needs to start looking to find
and verify the author's public key. This can be done using existing
services like PGP-Keyservers.

> So we do a lot of extra work for not much benefit, except a false sense
> of security because a big company is convinced that the person we think
> we're looking at is (they think) the person they think we're looking at.

I see your point that it adds overhead due to signature generation, and
I also see your point that verifying digital signatures must be done
right to achieve additional security. But if done right I think the
security offered by a digital signature is much higher (or at least very
different) than what the "authoritative"-content-trace-back-mechanism
has to offer.


More information about the microformats-discuss mailing list