The Security Vocabulary

Unofficial Draft 25 September 2011

Editor:
Manu Sporny, Digital Bazaar, Inc.

Abstract

Status of This Document

This document is merely a public working draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organisation.

Table of Contents

1. Introduction

This document describes a number of classes and properties that can be used to express digital signatures and achieve cryptographic protection on resources living on the Semantic Web.

This entire document is a work in progress and is thus incredibly unstable. It must not be used for any production use. It may harm children and animals. It will probably set your house on fire. You have been warned.

2. Classes

2.1 EncryptedMessage

A class of messages that are obfuscated in some cryptographic manner. These messages are incredibly difficult to decrypt without the proper decryption key or password.

Status
unstable
Parent Class
owl:Thing
Properties
sec:data, sec:encryptionKey, sec:password, sec:cipher, sec:iv, sec:publicKey

The example below describes a cryptographic key that contains both the public and private key as well as the owner of the key.

{
   "@type": "sec:EncryptedMessage",
   "sec:data": "VTJGc2RHVmtYMThOY3h2dnNVN290Zks1dmxWc3labi9sYkU0TGloRTdxY0dpblE4OHgrUXFNNi9l\n↩
a1JMWjdXOApRSGtrbzh6UG5XOFo3WWI4djJBUG1abnlRNW5CVGViWkRGdklpMEliczNWSzRQTGdB\n↩
UFhxYTR2aWFtemwrWGV3Cmw0eFF4ancvOW85dTlEckNURjMrMDBKMVFubGdtci9abkFRSmc5UjdV\n↩
Rk55ckpYalIxZUJuKytaQ0luUTF2cUwKcm5vcDU1eWk3RFVqVnMrRXZZSkx6RVF1VlBVQ0xxdXR4\n↩
L3lvTWd4bkdhSksxOG5ZakdiekJxSGxOYm9pVStUNwpwOTJ1Q0Y0Q2RiR1NqL0U3OUp4Vmh6OXQr\n↩
Mjc2a1V3RUlNY3o2Z3FadXZMU004KzRtWkZiakh6K2N5a1VVQ2xHCi9RcTk3b2o3N2UrYXlhZjhS\n↩
ZmtEZzlUeWk3Q2szREhSblprcy9WWDJWUGhUOEJ5c3RiYndnMnN4eWc5TXhkbHoKUkVESzFvR0FJ\n↩
UDZVQ09NeWJLTGpBUm0zMTRmcWtXSFdDY29mWFNzSGNPRmM2cnp1Wko0RnVWTFNQMGROUkFRRgpB\n↩
bFQ0QUpPbzRBZHpIb2hpTy8vVGhNOTl1U1ZER1NPQ3graFAvY3V4dGNGUFBSRzNrZS8vUk1MVFZO\n↩
YVBlaUp2Ckg4L1ZWUVU4L3dLZUEyeTQ1TzQ2K2lYTnZsOGErbGg0NjRUS3RabktFb009Cg==",
   "sec:encryptionKey": "uATtey0c4nvZIsDIfpFffuCyMYGPKRLIVJCsvedE013SpEJ+1uO7x6SK9hIG9zLWRlPpwmbar2bt\n↩
gTX5NBzYC5+c5ZkXtM1O8REwIJ7wmtLdumRYEbr/TghFl3pAgXhv0mVt8XZ+KLWlxMqXnrT+ByNw\n↩
z7u3IxpqNVcXHExjXQE=",
   "sec:password": "5dTlEckNURjMrMDER1NPQ3graFABKMVFub=",
   "sec:cipher": "aes-128-cbc",
   "sec:iv": "vcDU1eWTy8vVGhNOszREhSblFVqVnGpBUm0zMTRmcWtMrRX==",
   "sec:publicKey": "http://example.com/people/john/keys/23"
}        

2.2 Key

This class represents a cryptographic key that may be used for digital signatures or cryptography.

Status
unstable
Parent Class
owl:Thing
Properties
sec:publicKey, sec:privateKeyPem, sec:publicKeyPem

The example below describes a cryptographic key that contains both the public and private key as well as the owner of the key.

{
   "@subject": "https://payswarm.example.com/i/bob/keys/1",
   "@type": "sec:Key",
   "ps:owner": "https://payswarm.example.com/i/bob",
   "sec:privateKeyPem": "-----BEGIN PUBLIC KEY-----\nMII8YbF3s8q3c...j8Fk88FsRa3K\n-----END PUBLIC KEY-----\n"
   "sec:publicKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIBG0BA...OClDQAB\n-----END PRIVATE KEY-----\n"
}

2.3 Signature

This class represents a digital signature on serialized data. It is an abstract class and should not be used other than for Semantic reasoning purposes, such as by a Reasoning Agent.

Status
unstable
Parent Class
owl:Thing
Properties
none

A Signature class must not be used as an RDF type. It should instead be used as the base class for all signature classes. For a signature sub-class to be of use, it should express at least three signature algorithm properties: sec:normalizationAlgorithm, sec:digestAlgorithm, and sec:signingAlgorithm.

2.4 JsonldSignature

A JSON-LD signature is used for digital signatures on RDF graphs expressed in JSON-LD format. The default normalization mechanism is specified in the JSON-LD specification, which effectively resolves all CURIEs and deterministically names all unnamed nodes. The default digest method uses the SHA-1 algorithm. The default signature mechanism uses a SHA-1 digest and RSA to perform the digital signature.

Status
unstable
Parent Class
sec:Signature
Properties
sec:signer, sec:signatureValue
Signing Properties
Default Normalization Method
http://purl.org/jsonld#UGNA2011
Default Digest Method
http://www.w3.org/2000/09/xmldsig#sha1
Default Signing Algorithm
http://www.w3.org/2000/09/xmldsig#rsa-sha1

The example below shows how a basic JSON-LD signature is expressed in a JSON-LD snippet. Note that the signature property is directly embedded in the object. The signing algorithm understands that in order to check the signature that the signature property must be removed and the text canonicalized using the standard normalization algorithm for JSON-LD.

{
    "@type": "foaf:Person",
    "foaf:name": "Manu Sporny",
    "foaf:homepage": "http://manu.sporny.org/",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signer": "http://manu.sporny.org/webid#key-5",
        "sec:signatureValue": "OGQzNGVkMzVmMmQ3ODIyOWM32MzQzNmExMgoYzI4ZDY3NjI4NTIyZTk="
    }
}

2.5 XmlSignature

An XML signature is used for digital signatures in RDF graphs where the data is expressed in an XML format. The default normalization mechanism is specifiedspecified in the XML normalization specification. The default digest method uses the SHA-1 algorithm. The default signature mechanism uses a SHA-1 digest and RSA to perform the digital signature.

Status
unstable
Parent Class
sec:Signature
Properties
sec:signer, sec:signatureValue
Signing Properties
Default normalization Method
http://www.w3.org/2006/12/xml-c14n11
Default Digest Method
http://www.w3.org/2000/09/xmldsig#sha1
Default Signing Algorithm
http://www.w3.org/2000/09/xmldsig#rsa-sha1

The signature example below demonstrates how XML data can be expressed and digitally signed in an RDF graph.

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix sec: <http://purl.org/security#> .
_:bnode1 rdf:type sec:XmlSignature ;
         sec:data "<mydata>Some data</mydata>" ;
         sec:signer <http://example.com/people/john-doe#key-5> ;
         sec:signatureValue "OGQzNGVkMzVmMmQ3ODIyOWM32MzQzNmExMgoYzI4ZDY3NjI4NTIyZTk=" .
}

Signature defaults can be overridden by specifying the non-default values like so:

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix sec: <http://purl.org/security#> .
_:bnode1 rdf:type sec:XmlSignature ;
         sec:data "<mydata>Some data</mydata>" ;
         sec:normalizationAlgorithm <http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments>;
         sec:digestAlgorithm <http://example.org/digestAlgorithms#sha1024>;
         sec:signingAlgorithm <http://example.org/signatureMethods#superSecretSignatureAlgorithm>;
         sec:signer <http://example.com/people/john-doe#key-5> ;
         sec:signatureValue "3ODIyOWOGQzNGVkMzVmMmQM32MzQzNmExMgNjI4NTIyZTkoYzI4ZDY3=" .
}

3. Properties

3.1 cipher

The cipher describes the mechanism used to encrypt a message. It is typically a string expressing the cipher suite, the strength of the cipher and a block cipher mechanism.

Status
unstable
Domain
sec:EncryptedMessage
Range
xsd:string

The example below describes the cipher as The Advanced Cryptography Standard using 128 bits and cipher block chaining.

{
   "@type": "sec:EncryptedMessage",
   "sec:data": "VTJGc2RHVmtYMThOY3h2dnNVN290Zks1dmxWc3labi9sYkU0TGloRTdxY0dpblE4OHgrUXFNNi9l\n↩
a1JMWjdXOApRSGtrbzh6UG5XOFo3WWI4djJBUG1abnlRNW5CVGViWkRGdklpMEliczNWSzRQTGdB\n↩
UFhxYTR2aWFtemwrWGV3Cmw0eFF4ancvOW85dTlEckNURjMrMDBKMVFubGdtci9abkFRSmc5UjdV\n↩
Rk55ckpYalIxZUJuKytaQ0luUTF2cUwKcm5vcDU1eWk3RFVqVnMrRXZZSkx6RVF1VlBVQ0xxdXR4\n↩
L3lvTWd4bkdhSksxOG5ZakdiekJxSGxOYm9pVStUNwpwOTJ1Q0Y0Q2RiR1NqL0U3OUp4Vmh6OXQr\n↩
Mjc2a1V3RUlNY3o2Z3FadXZMU004KzRtWkZiakh6K2N5a1VVQ2xHCi9RcTk3b2o3N2UrYXlhZjhS\n↩
ZmtEZzlUeWk3Q2szREhSblprcy9WWDJWUGhUOEJ5c3RiYndnMnN4eWc5TXhkbHoKUkVESzFvR0FJ\n↩
UDZVQ09NeWJLTGpBUm0zMTRmcWtXSFdDY29mWFNzSGNPRmM2cnp1Wko0RnVWTFNQMGROUkFRRgpB\n↩
bFQ0QUpPbzRBZHpIb2hpTy8vVGhNOTl1U1ZER1NPQ3graFAvY3V4dGNGUFBSRzNrZS8vUk1MVFZO\n↩
YVBlaUp2Ckg4L1ZWUVU4L3dLZUEyeTQ1TzQ2K2lYTnZsOGErbGg0NjRUS3RabktFb009Cg==",
   "sec:encryptionKey": "uATtey0c4nvZIsDIfpFffuCyMYGPKRLIVJCsvedE013SpEJ+1uO7x6SK9hIG9zLWRlPpwmbar2bt\n↩
gTX5NBzYC5+c5ZkXtM1O8REwIJ7wmtLdumRYEbr/TghFl3pAgXhv0mVt8XZ+KLWlxMqXnrT+ByNw\n↩
z7u3IxpqNVcXHExjXQE=",
   "sec:password": "5dTlEckNURjMrMDER1NPQ3graFABKMVFub=",
   "sec:cipher": "aes-128-cbc",
   "sec:iv": "vcDU1eWTy8vVGhNOszREhSblFVqVnGpBUm0zMTRmcWtMrRX==",
   "sec:publicKey": "http://example.com/people/john/keys/23"
}        

3.2 data

Used to specify the data associated with a signature if the information should not be gleaned from the containing graph.

Status
unstable
Domain
sec:Signature
Range
xsd:string, rdf:XMLLiteral

The following example demonstrates how the data property can be specified explicitly. This example is a bit strange as a JSON-LD signature would typically be found in the same graph as the data that was signed, but the example below shows that signatures can be specified in a number of flexible ways:

{
    "@type": "sec:JsonldSignature",
    "sec:data": "{ \"#\" : { \"foaf\" : \"http://xmlns.com/foaf/0.1\" }, \"a\": \"foaf:Person>\", \"foaf:name\": \"Joe Bob\" }",
    "sec:signer": "http://example.com/people/john-doe#key-5",
    "sec:signatureValue": "kMzVmMmQ3OgoYzIOGQzNGV4ZDY3NjI4NTIyZTkDIyOWM32MzQzNmExM="
}

3.3 digestAlgorithm

The digest method is used to specify the cryptographic function to use when generating the data to be digitally signed. Typically, text to be signed goes through three steps: 1) normalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step #2. A signature class typically specifies a default digest method, so this property rarely needs to be used in practice.

Status
unstable
Domain
sec:Signature
Range
xsd:anyURI, xsd:string

The following example shows how the digest method can override the default digest method specified by the signature class:

{
    "@type": "foaf:Person",
    "foaf:name": "Jane Doe",
    "foaf:homepage": "http://example.org/jane",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:digestAlgorithm": "http://example.com/digests#sha512",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "OGQzNGVkMzVm4NTIyZTkZDYMmMzQzNmExMgoYzI43Q3ODIyOWM32NjI="
    }
}

3.4 iv

The initialization vector is a byte stream that is typically used to initialize certain password-based encryption schemes. For a receiving application to be able to decrypt the scheme, it must not only know the decryption password, but the initialization vector as well. The value is typically base-64 encoded.

Status
unstable
Domain
sec:EncryptedMessage
Range
xsd:string

The following example shows a public key based encrypted message where the decryption password is encrypted using the public key described in the message. Since the cipher is AES-128-CBC, an initialization vector along with the password and the public key is required in order to decrypt the data.

{
   "@type": "sec:EncryptedMessage",
   "sec:data": "VTJGc2RHVmtYMThOY3h2dnNVN290Zks1dmxWc3labi9sYkU0TGloRTdxY0dpblE4OHgrUXFNNi9l\n↩
a1JMWjdXOApRSGtrbzh6UG5XOFo3WWI4djJBUG1abnlRNW5CVGViWkRGdklpMEliczNWSzRQTGdB\n↩
UFhxYTR2aWFtemwrWGV3Cmw0eFF4ancvOW85dTlEckNURjMrMDBKMVFubGdtci9abkFRSmc5UjdV\n↩
Rk55ckpYalIxZUJuKytaQ0luUTF2cUwKcm5vcDU1eWk3RFVqVnMrRXZZSkx6RVF1VlBVQ0xxdXR4\n↩
L3lvTWd4bkdhSksxOG5ZakdiekJxSGxOYm9pVStUNwpwOTJ1Q0Y0Q2RiR1NqL0U3OUp4Vmh6OXQr\n↩
Mjc2a1V3RUlNY3o2Z3FadXZMU004KzRtWkZiakh6K2N5a1VVQ2xHCi9RcTk3b2o3N2UrYXlhZjhS\n↩
ZmtEZzlUeWk3Q2szREhSblprcy9WWDJWUGhUOEJ5c3RiYndnMnN4eWc5TXhkbHoKUkVESzFvR0FJ\n↩
UDZVQ09NeWJLTGpBUm0zMTRmcWtXSFdDY29mWFNzSGNPRmM2cnp1Wko0RnVWTFNQMGROUkFRRgpB\n↩
bFQ0QUpPbzRBZHpIb2hpTy8vVGhNOTl1U1ZER1NPQ3graFAvY3V4dGNGUFBSRzNrZS8vUk1MVFZO\n↩
YVBlaUp2Ckg4L1ZWUVU4L3dLZUEyeTQ1TzQ2K2lYTnZsOGErbGg0NjRUS3RabktFb009Cg==",
   "sec:encryptionKey": "uATtey0c4nvZIsDIfpFffuCyMYGPKRLIVJCsvedE013SpEJ+1uO7x6SK9hIG9zLWRlPpwmbar2bt\n↩
gTX5NBzYC5+c5ZkXtM1O8REwIJ7wmtLdumRYEbr/TghFl3pAgXhv0mVt8XZ+KLWlxMqXnrT+ByNw\n↩
z7u3IxpqNVcXHExjXQE=",
   "sec:password": "5dTlEckNURjMrMDER1NPQ3graFABKMVFub=",
   "sec:cipher": "aes-128-cbc",
   "sec:iv": "vcDU1eWTy8vVGhNOszREhSblFVqVnGpBUm0zMTRmcWtMrRX==",
   "sec:publicKey": "http://example.com/people/john/keys/23"
}        

3.5 nonce

This property is used in conjunction with the input to the signature hashing function in order to protect against replay attacks. Typically, receivers need to track all nonce values used within a certain time period in order to ensure that an attacker cannot merely re-send a compromised packet in order to execute a privileged request.

Status
unstable
Domain
sec:Signature
Range
xsd:string

The following example shows a fairly sensitive request that is digitally signed with a nonce. How the nonce is used is up to the signature algorithm, but the value is typically included as input to the signature hashing function in order to protect against replay attacks.

{
    "ex:request": "DELETE foo.txt",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "Q3ODIyOGQzNGVkMzVm4NTIyZ43OWM32NjITkZDYMmMzQzNmExMgoYzI=",
        "sec:nonce": "8495723045.84957"
    }
}

3.6 normalizationAlgorithm

The normalization method is used to transform the target graph, or the sec:data property into a form that can be passed to a cryptographic digest method. The digest is then digitally signed using a digital signature algorithm. normalization ensures that a piece of software that is generating a digital signature is able to simplify the input graph or data to a form that is the same across all programs regardless of how much whitespace and unnecessary formatting information is included in the input data.

Status
unstable
Domain
sec:Signature
Range
xsd:anyURI, xsd:string

While the normalization method is usually associated with the digital signature class defaults, it can also be specified in a signature to override the defaults:

{
    "@type": "foaf:Person",
    "foaf:name": "Joe Bob",
    "foaf:homepage": "http://example.org/joebob",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:normalizationAlgorithm": "http://example.com/vocab#fancy-normalization-method",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "Q3ODIyOWM32OGQzNGVkMzVmMmMzQzNmExMgoYzI43NjI4NTIyZTkZDY="
    }
}

3.7 password

A secret that is used to decrypt and encrypted message. It is typically a string value. Some passwords are encrypted using a public key so that only the intended recipient may know the password.

Status
unstable
Domain
sec:EncryptedMessage
Range
xsd:string

The password example below is a public-key encrypted string that has been base-64 encoded.

{
   "@type": "sec:EncryptedMessage",
   "sec:data": "VTJGc2RHVmtYMThOY3h2dnNVN290Zks1dmxWc3labi9sYkU0TGloRTdxY0dpblE4OHgrUXFNNi9l\n↩
a1JMWjdXOApRSGtrbzh6UG5XOFo3WWI4djJBUG1abnlRNW5CVGViWkRGdklpMEliczNWSzRQTGdB\n↩
UFhxYTR2aWFtemwrWGV3Cmw0eFF4ancvOW85dTlEckNURjMrMDBKMVFubGdtci9abkFRSmc5UjdV\n↩
Rk55ckpYalIxZUJuKytaQ0luUTF2cUwKcm5vcDU1eWk3RFVqVnMrRXZZSkx6RVF1VlBVQ0xxdXR4\n↩
L3lvTWd4bkdhSksxOG5ZakdiekJxSGxOYm9pVStUNwpwOTJ1Q0Y0Q2RiR1NqL0U3OUp4Vmh6OXQr\n↩
Mjc2a1V3RUlNY3o2Z3FadXZMU004KzRtWkZiakh6K2N5a1VVQ2xHCi9RcTk3b2o3N2UrYXlhZjhS\n↩
ZmtEZzlUeWk3Q2szREhSblprcy9WWDJWUGhUOEJ5c3RiYndnMnN4eWc5TXhkbHoKUkVESzFvR0FJ\n↩
UDZVQ09NeWJLTGpBUm0zMTRmcWtXSFdDY29mWFNzSGNPRmM2cnp1Wko0RnVWTFNQMGROUkFRRgpB\n↩
bFQ0QUpPbzRBZHpIb2hpTy8vVGhNOTl1U1ZER1NPQ3graFAvY3V4dGNGUFBSRzNrZS8vUk1MVFZO\n↩
YVBlaUp2Ckg4L1ZWUVU4L3dLZUEyeTQ1TzQ2K2lYTnZsOGErbGg0NjRUS3RabktFb009Cg==",
   "sec:encryptionKey": "uATtey0c4nvZIsDIfpFffuCyMYGPKRLIVJCsvedE013SpEJ+1uO7x6SK9hIG9zLWRlPpwmbar2bt\n↩
gTX5NBzYC5+c5ZkXtM1O8REwIJ7wmtLdumRYEbr/TghFl3pAgXhv0mVt8XZ+KLWlxMqXnrT+ByNw\n↩
z7u3IxpqNVcXHExjXQE=",
   "sec:password": "5dTlEckNURjMrMDER1NPQ3graFABKMVFub=",
   "sec:cipher": "aes-128-cbc",
   "sec:iv": "vcDU1eWTy8vVGhNOszREhSblFVqVnGpBUm0zMTRmcWtMrRX==",
   "sec:publicKey": "http://example.com/people/john/keys/23"
}        

3.8 privateKeyPem

A private key PEM property is used to specify the PEM-encoded version of the private key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions intializing private keys.

Status
unstable
Domain
sec:Key, owl:Thing
Range
xsd:string

The following example demonstrates the expression of a private key PEM. The elipsis ("...") in the middle of the string denotes more data that has been abbreviated for the sake of the readability of the example.

{
   "@subject": "https://payswarm.example.com/i/bob/keys/1",
   "@type": "sec:Key",
   "ps:owner": "https://payswarm.example.com/i/bob",
   "sec:privateKeyPem": "-----BEGIN PUBLIC KEY-----\nMII8YbF3s8q3c...j8Fk88FsRa3K\n-----END PUBLIC KEY-----\n"
   "sec:publicKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIBG0BA...OClDQAB\n-----END PRIVATE KEY-----\n"
}

3.9 publicKey

A public key property refers to a URL that contains information about a public key.

Status
unstable
Domain
sec:Key, owl:Thing
Range
xsd:anyURI

The following example demonstrates the expression of a public key belonging to the identity https://payswarm.example.com/i/bob.

{
   "@subject": "https://payswarm.example.com/i/bob/keys/1",
   "@type": "sec:Key",
   "ps:owner": "https://payswarm.example.com/i/bob",
   "sec:publicKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIBG0BA...OClDQAB\n-----END PRIVATE KEY-----\n"
}

3.10 publicKeyPem

A public key PEM property is used to specify the PEM-encoded version of the public key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions intializing public keys.

Status
unstable
Domain
sec:Key, owl:Thing
Range
xsd:string

The following example demonstrates the expression of a public key PEM. The elipsis ("...") in the middle of the string denotes more data that has been abbreviated for the sake of the readability of the example.

{
   "@subject": "https://payswarm.example.com/i/bob/keys/1",
   "ps:owner": "https://payswarm.example.com/i/bob",
   "ps:publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBG0BA...OClDQAB\n-----END PUBLIC KEY-----\n"
}

3.11 signature

The signature property is used to associate a signature with a subject in a graph of information. The signature property is typically not included in the canonicalized graph that is then digested, and digitally signed.

Status
unstable
Domain
owl:Thing
Range
sec:Signature

The following example demonstrates how a signature on the graph identified by the subject http://example.com/people#jane is expressed using a JSON-LD signature:

{
    "@subject": "http://example.com/people#jane",
    "@type": "foaf:Person",
    "foaf:name": "Jane Doe",
    "foaf:homepage": "http://example.org/jane",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "OGQzNGVkMzVm4NTIyZTkZDYMmMzQzNmExMgoYzI43Q3ODIyOWM32NjI="
    }
}

3.12 signatureFor

A signatureFor property can be used to express a digital signature of a graph that is external to the local environment, or a sub-graph of the local environment.

Is this really that much different from sec:data? Can we collapse the two properties into one?

Status
unstable
Domain
sec:Signature
Range
xsd:anyURI, owl:Thing

{
    "@subject": "http://example.com/people#jane",
    "@type": "foaf:Person",
    "foaf:name": "Jane Doe",
    "foaf:homepage": "http://example.org/jane",
    "foaf:knows":
    {
        "@subject": "http://example.com/people#john",
        "@type": "foaf:Person",
        "foaf:name": "John Smith",
        "foaf:homepage": "http://example.org/john",
    },
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signatureFor" : "http://example.org/people#john",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "IyQ3ODOGQzN4NTIyZTkZDYMmMzQzNmExMgoYzI43OWM32NjIGVkMzVm="
    }
}

3.13 signer

The signer property specifies a location where you may retrieve information about the public key that created the digital signature in order to verify the authenticity of the signature, as well as any owner information related to the public key.

Status
unstable
Domain
TBD
Range
TBD

The following example expresses the location of the semantic information about the public key that can be used to verify the digital signature:

{
    "@subject": "http://example.com/people#jane",
    "@type": "foaf:Person",
    "foaf:name": "Jane Doe",
    "foaf:homepage": "http://example.org/jane",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "OGQzNGVkMzVm4NTIyZTkZDYMmMzQzNmExMgoYzI43Q3ODIyOWM32NjI="
    }
}

3.14 signatureValue

The signature value is used to express the output of the signature algorithm expressed in Base-64 format.

Status
unstable
Domain
sec:Signature
Range
xsd:string

The following example shows how the output of the signature algorithm can be encoded in JSON-LD:

{
    "@subject": "http://example.com/people#jane",
    "@type": "foaf:Person",
    "foaf:name": "Jane Doe",
    "foaf:homepage": "http://example.org/jane",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "OGQzNGVkMzVm4NTIyZTkZDYMmMzQzNmExMgoYzI43Q3ODIyOWM32NjI="
    }
}

3.15 signingAlgorithm

The signing algorithm is used to specify the cryptographic signature function to use when digitally signing the digest data. Typically, text to be signed goes through three steps: 1) normalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step #3. A signature class typically specifies a default signing algorithm, so this property rarely needs to be used in practice.

Status
unstable
Domain
sec:Signature
Range
xsd:anyURI, xsd:string

{
    "@type": "foaf:Person",
    "foaf:name": "Joe Bob",
    "foaf:homepage": "http://example.org/joebob",
    "sec:signature: 
    {
        "@type": "sec:JsonldSignature",
        "sec:signingAlgorithm": "http://example.com/vocab#special-signing-algorithm",
        "sec:signer": "http://example.com/people/john-doe#key-5",
        "sec:signatureValue": "P9fDIyOWM32OGQzNGVkMzVmMmMzQzNmExMgoYzI43NjI4k3FJKs98f="
    }
}

A. References

A.1 Normative references

No normative references.

A.2 Informative references

No informative references.