The Sun BabelFish Blog
Don't panic !
foaf+ssl, pki and the duck-rabbit
In part II §xi of the "Philosophical Investigations", Ludwig Wittgenstein introduces the duck-rabbit figure:
I shall call the following figure derived from Jastrow, the duck-rabbit. It can be seen as a rabbit's head or as a duck's. And I must distinguish between the 'continuous seeing' of an aspect and the 'dawning' of an aspect.
The picture might have been shewn me, and I never have seen anything but a rabbit in it.
It is worth stopping here and considering that illustration carefully, making sure you can see it one way then the other. There is no illusion here notice. There is not one correct way to see the line. The figure itself is ambiguous. The duck-rabbit therefore shows very simply how the way we perceive the world can change without any new fact appearing in the world.
Is that not what magic does?
Much more complex examples of this phenomenon can be found. In some cases it is much more difficult to switch between meanings. I find this for the Young Woman Old Woman image for example. I really need to work hard there to see the other interpretation, and when I find that interpretation I find switching back very difficult.
Recently I have felt that the foaf+ssl protocol does something similar to Public Key Cryptography (PKI). We use a tool that was always meant to be used one way, in a completely different way, a way of course that was always permitted, but that nobody saw (or if they did they did not pursue it openly).
To perceive this different way of using this tool one has to - just as with the duck-rabbit - look at it differently. One has to see it in a new way, or perhaps even use it in a new way. Whereas PKI is used for hierarchical trust, we use it to build a web of trust. Where X509 certs built up a lot on the Distinguished Name hierarchy, we nearly ignore it. Where X509 tried to place information in the certificate, we place it outside at the name location. Even though SSL can request client certificates in the browser, nobody does this, yet we build on this little known feature. Self signed client certificates, which would not have made sense in traditional PKI infrastructure, because they proove nearly nothing about the client, is what we build everything on....
All the usual X509 and ssl tools work just as they should, but magically it seems they are suddenly found to be doing something completely different.
Posted at 09:08PM Dec 30, 2008 [permalink/trackback] by Henry Story in SemWeb | Comments[4]
Note on comments:
- I know the forms below are a little small. We have asked for years for this to be changed, but I don't think it's going to happen soon. In Apple's Safari you can resize the entry box with you mouse. For people using other browsers click on this javascript link, that should allow you to resize your form.
- Comments are moderated, so they will take a little time to appear. Currently moderation means I have to read them personally. Hopefully with OpenId deployment, this will become more automated.
- HTML markup no longer works here, due to some decision made somewhere. Sorry about that.
- If you are having trouble posting, it may be that you need javascript to be enabled. I don't think javascript should be needed for submitting a form, but that's the way it is here.
- Check your comments by using the preview button...
Very clever :)
I kind of felt this way when I first read about REST; using the HTTP verbs to perform CRUD operations and such, seemed so novel, so simple, and so BRAND NEW. I guess that had always been Tim Berners-Lee's intent, but it was all new to me, and changed my perception of HTTP without any new facts.
Posted by Dustin Whitney on December 31, 2008 at 12:01 AM CET #
The problem (I think) with how you use the certs though is that the real trust (if Juliet does not know Romeo a priori) is that Juliet's friends know Romeo, and when I say "know", I don't mean that in any cryptographic sense (Juliet's friends haven't signed Romeo's key/key fingerprint for example). Why wouldn't it then be enough for Juliet to base her trust on the appearance of Romeo's OpenID in her friends' FOAF files, for example?
I like the web of trust model, but in order for there to be verifiable trust based on certs/keys, don't you also need key/cert/fingerprint signing parties? http://en.wikipedia.org/wiki/Key_signing_party
Posted by John Kemp on January 16, 2009 at 03:01 PM CET #
Hi John,
your comment would more properly belong to
http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
which describes the protocol.
I'll copy it over there, and answer it.
Posted by Henry Story on January 17, 2009 at 02:07 PM CET #
John, the answer to your question ended up being long enough that I wrote a new blog post to answer it:
http://blogs.sun.com/bblfish/entry/more_on_authorization_in_foaf
Posted by Henry Story on January 17, 2009 at 04:02 PM CET #