Wilted buttercup, grey skies, and geek

In order to determine how trustworthy a digital signature of a file is, you need to grab the file, the digital signature, and you will need to import the user’s public key. This wikipedia fragment describes what is meant by a “trustworthy signature” in terms of the Web of Trust.

This is the command I run to determine the level of trust of my signed foaf file.

gpg --verify --no-tty --status-fd 2 --command-fd 0 foaf.rdf.asc foaf.rdf


Which results in the folowing output :

gpg: Signature made Wed 3 Jun 23:19:52 2009 BST using RSA key ID 51F2F7EF
[GNUPG:] SIG_ID foL1PiWCT+546VnE17UG2QvWJeE 2009-06-03 1244067592
[GNUPG:] GOODSIG 9ED0B04E51F2F7EF Mischa Tuffield (Mischa@Garlik) <mischa.tuffield@garlik.com>
gpg: Good signature from "Mischa Tuffield (Mischa@Garlik) <mischa.tuffield@garlik.com>"
gpg: aka "Mischa Tuffield (http://id.ecs.soton.ac.uk/person/6914) <mmt04r@ecs.soton.ac.uk>"
[GNUPG:] VALIDSIG 18A2AF280CA59E77AE512BB39ED0B04E51F2F7EF 2009-06-03 1244067592 0 4 0 1 2 00 18A2AF280CA59E77AE512BB39ED0B04E51F2F7EF
[GNUPG:] TRUST_ULTIMATE


This is an automatic way of evaluating how trust worthy statement at the end of a URI are.

Hello All,

I had one of my hard-drives fail miserably a couple of weeks ago, and have only now recovered all of my blog content from Google’s and Yahoo’s caches. I have recreated all of the content, and have set up a cronjob to backup my sql tables, I had copies of most of the important stuff on my machine, and only lost my sql tables … d’oh….

I have set the following 301 redirects from all of the old URLs, I don’t think I have missed any out. Do shout if you find any old broken URLs on my site.

redirect 301 /blog/2009/04/02/barcamp-09/ /blog/2009/07/07/barcamp-09/
redirect 301 /blog/2009/03/24/time-machine-to-a-linux-box/ /blog/2009/07/07/timemachine-to-a-linux-box/
redirect 301 /blog/2009/03/23/signing-a-public-key/ /blog/2009/07/08/signing-someone’s-public-key/
redirect 301 /blog/2009/03/20/making-foaf-useful/ /blog/2009/07/08/making-foaf-useful/
redirect 301 /blog/2009/03/19/yum_64bit_binaries/ /blog/2009/07/07/configuring-yum-to-only-install-64bit-binaries/
redirect 301 /blog/2009/03/19/webdav_webid/ /blog/2009/07/08/enabling-a-writable-webid-with-webdav/
redirect 301 /blog/2009/03/18/foafwot/ /blog/2009/07/08/enabling-trust-in-a-foaf-document/
redirect 301 /blog/2009/03/17/signingverifyinggpg/ /blog/2009/07/08/signing-and-verifying-documents-using-gnupg/
redirect 301 /blog/2009/02/05/ah-good-work-tobyink/ /blog/2009/07/07/ah-good-work-tobyink-…/
redirect 301 /blog/2009/01/28/duplicate-dylib-libiconv2/ /blog/2009/07/07/duplicate-dylib-libiconv-2-dylib/
redirect 301 /blog/2008/12/31/ld-duplicate-symbol-mac-osx/ /blog/2009/07/07/ld-duplicate-symbol-_g_bit_nth_lsf-mac-osx-leoparddarwin/


I have used Jules blog post to have a go at iPhone tethering and it seems to work fine. Make sure that if you attempt to tether you should use Jules’s update’d howto on 2009-06-18. All you have to do is point your iPhone at the following url http://www.jules.fm/files/uk.o2.mobileconfig and you can follow the instruction on how to run it here http://richardlai.xanga.com/704930537/enable-tethering-on-iphone-30—too-easy-worldwide-carriers/

I have made a simple webpage which makes use of the W3C Geo API. The page will prompt you for your location, given you are using FF3.5, and will subsequently ask you for a WebID and some text to describe what you are up to.

The service then generates a call to another endpoint I bashed together, that takes the following cgi arguements.

webid - lat - long with an OPTIONAL alt - datetime - doing(what I am doing now field)

e.g.,

That in turn generates a FOAF person scrobble, or a FOAF Event. I have made us of the Event, Timeline, FOAF, dc, and the Geo ontologies.

So this service can be found on my site, http://mmt.me.uk/geo. It should be noted that I DO NOT store any of the information which I output on this site. I will make it HTTPS at some point, and then I will replace using Plazes.com with my own service. I would rather a world where I was running all of my own social networking from my own machine.

The code to do this is so simple. In order to do the W3C geo stuff all you need to do is write some html and javascript, like so (sorry about the indentation)

<script src="http://maps.google.com/maps?file=api&v=2&key=YOUR_API_KEY_HERE" type="text/javascript"></script>
<script type="text/javascript">
function load() {
navigator.geolocation.getCurrentPosition(showMap);
}
function showMap(position.coords) {
// (position.coords.latitude, position.coords.longitude).
if (GBrowserIsCompatible()) {
var map = new GMap2(document.getElementById("map"));
map.setCenter(new GLatLng(position.coords.latitude, position.coords.longitude), 13);
var point = new GLatLng(position.coords.latitude, position.coords.longitude);
map.addOverlay(new GMarker(point));
}
}
</script>
<div id="map" style="width: 620px; height: 310px"></div>

and this :

<body onload="load()" onunload="GUnload()">


Here are a bunch of links which I used to find out how to do this :

• http://www.skyhookwireless.com/whoweare/privacypolicy.php
• http://dev.w3.org/geo/api/spec-source.html
• http://ajaxian.com/archives/navigatorgeolocation-using-the-w3c-geolocation-api-today
• http://www.tralfamadore.com/2008/08/w3c-geolocation-api-on-iphone-with.html
• http://almaer.com/blog/using-the-w3c-geolocation-api-specification-today-extending-whereareyou
• https://developer.mozilla.org/En/Using_geolocation

This blog post follows on from my previous one signing and verifying files with GnuPG, whereby I showed (he says), in its simplest form, how one can digitally sign and verify a document. This in turn allows anyone reading the document to verify whether or not it has been tampered with since it was signed.

In this post I will describe two methods of linking to a digital signature from a RDF document. The RDF document I will be describing in this post is a FOAF document, but is is needless to say that this approach can be used from any RDF file.

The method described below makes use of the Web of Trust ontology (WOT). WOT allows for RDF documents to be signed using Digital Signatures and Public Key Cryptography.

Whilst putting together the foaf validator, which checks the semantics of a RDF document to ensure that it is a well formed foaf:PersonalProfileDocument, I came across these two different methods of using the Web of Trust ontology.

Linking to an armored digital signature using the WOT ontology from your FOAF file:

Step 0: Declare the wot namespace in the FOAF file



@prefix wot: <http://xmlns.com/wot/0.1/> .



Step 1

Add a triple from the Document pointing to the digital signature like so:



<> wot:assurance <http://foo.com/foaf.rdf.asc> .



Step 2

Add a triples associating the public key used to sign the FOAF document to the FOAF person. This can be done in one of two ways, like so:

Style 1



_:bnode0 a <http://xmlns.com/wot/0.1/PubKey> .
_:bnode0 dc:title "Public Key Bnode" .
_:bnode0 wot:fingerprint "FW89F7WF78SD8F7SD7FG21JL213192" .
_:bnode0 wot:hex_id "12A75E9B" .
_:bnode0 wot:identity <#me> .
_:bnode0 wot:pubkeyAddress <http://foo.com/me.pubkey.asc>


This is how I sign my FOAF file

Style 2



<#me> wot:hasKey _:bnode0 .
_:bnode0 a <http://xmlns.com/wot/0.1/PubKey> .
_:bnode0 wot:pubkeyAddress <http://foo.com/me.pubkey.asc>
_:bnode0 dc:title "Public Key Bnode" .
_:bnode0 wot:fingerprint "FW89F7WF78SD8F7SD7FG21JL213192" .
_:bnode0 wot:hex_id "12A75E9B" .


This is how Kjetil signs his FOAF file

These two methods of associating a publicKey to a FOAF WebID, which is in turn can be used to digitally sign a FOAF file are both supported by Garlik's FOAF validator.

In this post I will describe how you can enable write access to a file, specially a RDF one, via Apache’s HTTP server and the Web Distributed Authoring and Versioning protocol (WebDAV) extension to the HTTP protocol.

So, why would you want to do this?

I use WebDAV on my FOAF file to enable write access via Tim Berners-Lee’s Tabulator and Garlik’s foafbuilder. This technology allows me to write updates straight through the HTTP protocol, so that I don’t have to save the file to my local machine, and scp it over.

These are the configuration settings needed in your httpd.conf file:

Setting up WebDAV on a whole directory:



<VirtualHost *:80>

ServerName www.foo.com

ServerAlias foo.com

Alias / /var/www/foo/public_html/

<Location />

DAV On

AuthType Basic

AuthName "webdav"

Header set MS-Author-Via DAV

AuthUserFile /var/www/foo/passwd.dav

<LimitExcept GET HEAD OPTIONS POST>

Require user bar

</LimitExcept>

</Location>

</VirtualHost>



Enabling WebDAV for all files ending in .rdf:



<VirtualHost *:80>

ServerName www.foo.com

ServerAlias foo.com

Alias / /var/www/foo/public_html/

<Files ~ ".*\.rdf">

DAV On

AuthType Basic

AuthName "webdav"

AuthUserFile /var/www/foo/passwd.dav

Header set MS-Author-Via DAV

ForceType application/rdf+xml

<LimitExcept GET HEAD OPTIONS POST>

Require user bar

</LimitExcept>

</Files>

</VirtualHost>



It should be noted that the methods presented above allow for the files to be read normally via HTTP, as well as catering for writing via WebDAV.

WebDAV related HTTP Headers:

The correct HTTP header used to tell a client that a file is WebDAV enabled is:

MS-Author-via: DAV

Some of this information was taken from the ESW wiki’s article “EditingData”, and I should thank everyone who helped put it together.

In order to help make a digital signature trustworthy you can ask people you know who also own gpg identities to sign yours. This in turn allows for the web of trust to be bootstrapped by people signing and verifying each others gpg identities.

In order to sign a gpg identity, one needs to :

• Import the user’s public key, (mine can grabbed from here):
  gpg --import somePubKey.asc
• Check the identities fingerprint:

  gpg --fingerprint PubKeyHexValue

• Given that you are convinced the key belongs to whoever you think it should, sign the key:

  gpg --sign-key PubKeyHexValue

• Send the signed key back to your keyserver:
  gpg --send-keys PubKeyHexValue

I sign all of my emails using my gpg public key, it should be noted that only emails sent from my laptop can sign be signed using this identity. I should thank my former colleagues from the University of Southampton who signed by gpg identity, they have done their little bit to help bootstrap the Web of Trust.

In this post I will describe how to both sign and in turn verify the validity of a document. Below describes how one could use the open-source GnuPG implementation of the OpenPGP standard as defined by RFC4880 as a mechanism of trust. You can find out more information here at the PGP faq at pgp.net.

So, why would you ever want to sign a document using the OpenPGP standard?

One can sign a file using the OpenPGP standard before putting it in the public domain so that if and when another person/agent views the file they can check whether or not the file has been tampered with on route. This method of signing files provides the creator of a document with an ability to sign their work, which in turn allows the reader to know whether or not the file has been altered since being signed.

In essence every user has a public and a private key, and when a GnuPG user wants to sign a file they end-up creating a checksum of whole file using their keys. This checksum can then be used to verify that a document has not been tampered with, this is done by the GnuPG software comparing the checksum, the file in question, and the user’s public key.

Step 0

After creating your gpg keys you have to ensure that you have pushed your public key to one of the public keyservers, you can do this like so:

gpg --keyserver pgp.mit.edu --send-keys YOUR-EMAIL-ADDRESS

Make sure that your private key is private, and that it is not accessible by any of the other users setup on your machine. You can do this by :

chmod 600 ~/.gnupg/YOURPRIVATEKEY.asc

Make sure this is safe, for this is the only file someone needs to pretend to be you.

Signing a file using GnuPG

In this example the file which we are signing is called foaf.rdf. After setting up your gpg keys you can sign the file like so :

gpg -a --detach-sign foaf.rdf

This creates a file called foaf.rdf.asc (ASCII-armored digital signature) in the directory where the command was executed.

Checking a file against it’s ASCII-armored digital signature

If you have both the original file and the ASCII-armored digital signature of the file in the current working directory you can verify the files integrity by execting the following command :

gpg --verify

The output this last command will notify the user to whether or not the file has been altered since the last time it was signed.

FOAF files in isolation only give you information about a person, and who they know – i.e. who they claim to know in their FOAF file.

At Garlik we have implemented a reverse search facility for FOAF, whereby given an API request one can get back triples containing a list of people who claim to know the FOAF URI/IFP used to generate the API request. This list of people is taken from our knowledge base of harvested FOAF files, which currently holds around 10 millions individual FOAF files.

By including an API request to our reverse search in your FOAF file, you can have a FOAF file with both links out and links in Wow (he says)…

This API call – http://foaf.qdos.com/reverse/?path=http://mmt.me.uk/foaf.rdf%23mischa – returns an RDF fragment listing foaf:People that claim to know me.

All you need to do is add one triple that requests RDF from our reverse search API to your FOAF file. The triple will look something like this:

<#me> rdfs:seeAlso <http://foaf.qdos.com/reverse/?path=http://foo.com/foaf.rdf%23me> .

You can find examples of this API call in Danbri’s, Steve Harris’s, and my FOAF files.

There is some information regarding how to use the API on the reverse search HTML page.