Advantages/disadvantages of RDF instances

537 views
Skip to first unread message

E. Cohen

unread,
Apr 21, 2007, 8:12:37 PM4/21/07
to XBRL Ontology Specification Group
One of the most powerful stories in the world of XML is that of
security. Whereas previously signatures and encryption were largely at
the file, or document, level, XML Signature and XML Encryption promise
new capabilities - the ability to sign and encrypt individual
elements, XPath expressions, and more. Some of this power can be
attributed to the ability to sign trees.

If RDF instances are graphs and not trees, is something lost here?
What are the security standards for the Semantic Web? Can we make sure
the right people get the right access to the right information - and
that the wrong people don't?

Case in point:

One of the groups evaluating XBRL's Global Ledger is the US
Government. Having a seamless (but secure) audit trail from
transactions at the agency level up to end reporting, with the ability
to find your way back through the information, is vital.

Case in point: Covert agency A has amongst its accounting records
information about a check sent to "Mercanaries Incorporated" for
$160,000 for "Plan 208.36.998 to take out UBL". This data will find
its way all the way the agency's books and records, through various
oversight organizations, and right out to the end reporting, with
detail available through it all to become drill-down for the end
report or points between ... although the vendor ("Mercanaries
Incorporated") and purpose ("Plan 208.36.998 to take out UBL") will be
encrypted. A 5 star general looking at the end data will be able to
see what they need to see. Others will only see cyphertext.

This is a possibility with XBRL GL. Is this a possibility with
instances created in accordance with GLO (Global Ledger Ontology)?

NB 1 - I am one of the contributors to the XML Encryption
Recommendation (http://www.w3.org/TR/xmlenc-core/).

NB 2: UBL, in this case, is NOT the Universal Business Language.

<eccn />

Frederick Giasson

unread,
Apr 21, 2007, 8:58:40 PM4/21/07
to xbrl-ontology-sp...@googlegroups.com, E. Cohen, XBRL Ontology Specification Group
Hi Eric,

> One of the most powerful stories in the world of XML is that of
> security. Whereas previously signatures and encryption were largely at
> the file, or document, level, XML Signature and XML Encryption promise
> new capabilities - the ability to sign and encrypt individual
> elements, XPath expressions, and more. Some of this power can be
> attributed to the ability to sign trees.


This is a really interesting use case you outlined here.


> If RDF instances are graphs and not trees, is something lost here?

Don't think so. Instead of joining the Keys, information about used encoding
and encoded data with the element to encrypt, I would say that you would link
that information, using properties, to the Resource's URI (by example, you have
a Credit Card. This credit card is a resource. You would describe additional
properties to that resource to add the facts that the value of a property is
encrypted using a key X with an algo Y. Anyway, I would be surprised that nobody
worked on this problem before, so we will have to do search in that direction.

This is a good point.

> What are the security standards for the Semantic Web? Can we make sure

I am not an expert in the domain, more search would have to be done, but if it
is done in XML, it is sure that it is not harder to do the same thing (same
result) in RDF.

> the right people get the right access to the right information - and
> that the wrong people don't?

Well, all the right access to the right information is done by the encryption
algorithm (at least at a data level, what we are talking about here). It is sure
that a system level security can be added to compartmentalize the information by
security access level, etc. But it is unrelated to the development of this ontology.


> Case in point:
>
> One of the groups evaluating XBRL's Global Ledger is the US
> Government. Having a seamless (but secure) audit trail from
> transactions at the agency level up to end reporting, with the ability
> to find your way back through the information, is vital.
>
> Case in point: Covert agency A has amongst its accounting records
> information about a check sent to "Mercanaries Incorporated" for
> $160,000 for "Plan 208.36.998 to take out UBL". This data will find
> its way all the way the agency's books and records, through various
> oversight organizations, and right out to the end reporting, with
> detail available through it all to become drill-down for the end
> report or points between ... although the vendor ("Mercanaries
> Incorporated") and purpose ("Plan 208.36.998 to take out UBL") will be
> encrypted. A 5 star general looking at the end data will be able to
> see what they need to see. Others will only see cyphertext.

Well, this is all about encoding and exchanging data.


In fact, you can think about encrypting RDF properties value using a symmetric
key encryption algorithm (like they do with XMLEnc).

You could even think about using asymmetrical keys encryption algorithm to
exchange, between two parties, these symmetric encryption keys.

I already gave a try to that idea and applied it to a Secure Web Feed Protocol:

http://fgiasson.com/articles/swfp.pdf


> This is a possibility with XBRL GL. Is this a possibility with
> instances created in accordance with GLO (Global Ledger Ontology)?

I would say yes (I can't see why we couldn't, but we would have to check what
have been done in that direction first).


> NB 1 - I am one of the contributors to the XML Encryption
> Recommendation (http://www.w3.org/TR/xmlenc-core/).

Great use case, thanks for it, we will have to check that further for sure.
Anyone has experience with such case?

Take care,


Salutations,


Fred

kidehen

unread,
Apr 22, 2007, 11:18:50 AM4/22/07
to XBRL Ontology Specification Group
Eric,

RDF and XML are not mutually exclusive. XML in the context of XBRL is
simply a Data Source in the Context of RDF. When generating RDF
Instance Data the RDF generating technology will have to obtain XML
Data from the XML Data Source inline with the Data Access mechanisms
available to the data source.

You do not end up with RDF instance Data that is a compromised version
of the XML source data. This simply isn't what happens.

Also note RDF Instance Data may be Physical (an actual Data Extraction
of XML repurposed as an RDF Triple) or Virtuoso (generated "on the
fly" from the original Data Source).

If the Triples are Physical then this security enforcement becomes the
responsibility of the RDF Instance generating technology. If the
Triples are Virtual, this applies to a lesser degree since the
interaction with Data includes interaction with the XML Data Source as
RDF instance data access time.

Long story short, this isn't an RDF vs. XML matter at all.

Reply all
Reply to author
Forward
0 new messages