A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm.
1. Introduction
In previous work we have shown how RDF data can be made content-addressable [ContentAddressableRDF]. This automatically allows the integrity of the data to be verified. To ensure authenticity of content we need to mix in some asymmetric cryptography.
RDF Signify s a simple RDF vocabulary (a single class and three predicates) that describes how the Ed25519 [RFC8032] algorithm can be used for signing and verifying content.
RDF Signify can not sign messages directly, but can be used to sign identifiers of content-addressed content. In particular it can sign identifiers of content-addressed RDF [ContentAddressableRDF] that is encoded with ERIS [ERIS].
We believe that RDF Signify is a significantly simpler approach than what is proposed in the context of Linked Data Proofs (previously Linked Data Signatures), allowing much easier implementation and wider adoption.
The vocabulary is inspired by the OpenBSD signify tool [signify].
2. Encoding of keys as URN
Public and secret keys are encoded as URNs.
A public key is encoded as an URI as follows:
crypto:ed25519:pk:V4B5SJBQMRDPL4FSLZWCBYJ4BYPAGJDI5EELORBGIADUTWP4EXTQ
Where the 32 byte public key is encoded using the Base32 encoding without padding [RFC4648].
A secret key can be encoded similarly:
crypto:ed25519:sk:SKITUCNA6D4V6KWKQS4LJ5DHE7BJ75LCTI5LSJO3ZGY5BA6TMLMQ
3. Vocabulary
The RDF Signify vocabulary is described in the following. The complete vocabulary is given as Turtle in Appendix A and is also available at http://purl.org/signify.
The prefix signify:
is used for http://purl.org/signify#
.
3.1. Public Key
A public key may be published and attached to objects (e.g. an ActivityPub actor) using the signify:publicKey
property.
For example this can be used to attach a public key to an ActivityStreams actor:
@prefix signify: <http://purl.org/signify#> .
@prefix as: <https://www.w3.org/ns/activitystreams#> .
<https://social.example/alyssa/>
a as:Person ;
as:name "Alyssa P. Hacker" ;
as:preferredUsername "alyssa" ;
signify:publicKey <crypto:ed25519:pk:V4B5SJBQMRDPL4FSLZWCBYJ4BYPAGJDI5EELORBGIADUTWP4EXTQ> .
3.2. Secret Key
Similarly to public keys, a secret key may be attached to objects using the signify:secretKey
property.
Caution
|
Secret keys need to be kept secret and should never be attached to a object that may be shared or become public. The |
3.3. Signature
The signify:Signature
class defines an Ed25519 signature of a message.
The expected properties of a signify:Signature
are:
signify:message
-
The IRI that is signed. Range must be an IRI.
rdf:value
-
The Ed25519 signature value of the UTF-8 encoded byte sequence of the message IRI encoded as
xsd:base64Binary
. signify:publicKey
-
Public key of the secret key used to sign message.
5. Acknowledgments
RDF Signify was developed as part of the openEngiadina project and has been supported by the NLNet Foundation trough the NGI0 Discovery Fund.
Appendix A: RDF Vocabulary
@prefix signify: <http://purl.org/signify#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
<http://purl.org/signify#>
a owl:Ontology ;
rdfs:label "RDF Signify";
rdfs:comment " A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm."@en .
signify:publicKey
a rdf:Property ;
rdfs:label "Public Key"@en ;
rdfs:comment "An associated Ed25519 public key"@en .
signify:secretKey
a rdf:Property ;
rdfs:label "Secret Key"@en ;
rdfs:comment "An associated Ed25519 secret key"@en .
signify:Signature
a rdfs:Class ;
rdfs:label "Signature"@en ;
rdfs:comment "An Ed25519 signature"@en .
signify:message
a rdf:Property ;
rdfs:label "Signed Message"@en ;
rdfs:domain signify:Signature .
Changelog
UNRELEASED
-
Use ~http://purl.org/signify#- as base URL instead of content-addressing for vocabulary
-
Encode public and secret key in a URN. Remove unnecessary
PublicKey
andSecretKey
classes -
Add
secretKey
property
v0.1 - 11. June 2020
Initial version
References
-
[ERIS] pukkamustard, Encoding for Robust Immutable Storage (ERIS), 2020.
-
[ContentAddressableRDF] pukkamustard, Content-addressable RDF, 2020.
-
[RFC4648] S. Josefsson, The Base16, Base32, and Base64 Data Encodings, 2006.
-
[RFC8032] Josefsson and Liusvaara, Edwards-Curve Digital Signature Algorithm (EdDSA), 2017.
-
[Signify], Unangst, signify: Securing OpenBSD From Us To You, 2015.