RDF Signify

A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm.

1. Introduction

In previous work we have shown how RDF data can be made content-addressable [ContentAddressableRDF]. This automatically allows the integrity of the data to be verified. To ensure authenticity of content we need to mix in some asymmetric cryptography.

RDF Signify s a simple RDF vocabulary (a single class and three predicates) that describes how the Ed25519 [RFC8032] algorithm can be used for signing and verifying content.

RDF Signify can not sign messages directly, but can be used to sign identifiers of content-addressed content. In particular it can sign identifiers of content-addressed RDF [ContentAddressableRDF] that is encoded with ERIS [ERIS].

We believe that RDF Signify is a significantly simpler approach than what is proposed in the context of Linked Data Proofs (previously Linked Data Signatures), allowing much easier implementation and wider adoption.

The vocabulary is inspired by the OpenBSD signify tool [signify].

2. Encoding of keys as URN

Public and secret keys are encoded as URNs.

A public key is encoded as an URI as follows:

crypto:ed25519:pk:V4B5SJBQMRDPL4FSLZWCBYJ4BYPAGJDI5EELORBGIADUTWP4EXTQ

Where the 32 byte public key is encoded using the Base32 encoding without padding [RFC4648].

A secret key can be encoded similarly:

crypto:ed25519:sk:SKITUCNA6D4V6KWKQS4LJ5DHE7BJ75LCTI5LSJO3ZGY5BA6TMLMQ

The encoding as URN is based on the CryptoURI encoding but does not use the error correcting Bech32 encoding. Further work is required to agree upon a definitive encoding of the keys as URNs.

3. Vocabulary

The RDF Signify vocabulary is described in the following. The complete vocabulary is given as Turtle in Appendix A and is also available at http://purl.org/signify.

The prefix signify: is used for http://purl.org/signify#.

3.1. Public Key

A public key may be published and attached to objects (e.g. an ActivityPub actor) using the signify:publicKey property.

For example this can be used to attach a public key to an ActivityStreams actor:

@prefix signify: <http://purl.org/signify#> .
@prefix as: <https://www.w3.org/ns/activitystreams#> .

<https://social.example/alyssa/>
    a as:Person ;
    as:name "Alyssa P. Hacker" ;
    as:preferredUsername "alyssa" ;
    signify:publicKey <crypto:ed25519:pk:V4B5SJBQMRDPL4FSLZWCBYJ4BYPAGJDI5EELORBGIADUTWP4EXTQ> .

3.2. Secret Key

Similarly to public keys, a secret key may be attached to objects using the signify:secretKey property.

Caution

Secret keys need to be kept secret and should never be attached to a object that may be shared or become public.

The signify:secretKey is defined for internal management or for transmission to a trusted party over a secure channel.

3.3. Signature

The signify:Signature class defines an Ed25519 signature of a message.

The expected properties of a signify:Signature are:

signify:message: The IRI that is signed. Range must be an IRI.
rdf:value: The Ed25519 signature value of the UTF-8 encoded byte sequence of the message IRI encoded as xsd:base64Binary.
signify:publicKey: Public key of the secret key used to sign message.

4. Conclusion

We believe to have presented a simple vocabulary that enables cryptographic signatures of content-addressed data. We intend to use this as an understandable and implementable alternative to Linked Data Proofs. However the usage of this vocabulary requires data to be already content-addressed (whereas Linked Data Proofs does normalization and content-addressing as part of the signature procedure).

The major hurdle in using RDF Signify is that it requires content-addressing. We intend to continue evangelizing the merits of content-addressing and provide further examples of how RDF Signify can be used in existing systems such as ActivityPub.

4.1. Acknowledgments

RDF Signify was developed as part of the openEngiadina project and has been supported by the NLNet Foundation trough the NGI0 Discovery Fund.

Appendix A: RDF Vocabulary

The vocabulary is also available at http://purl.org/signify/ns.

@prefix signify: <http://purl.org/signify/ns#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .


<http://purl.org/signify/ns#>
    a owl:Ontology ;
    rdfs:label "RDF Signify";
    rdfs:comment " A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm."@en .

signify:publicKey
    a rdf:Property ;
    rdfs:label "Public Key"@en ;
    rdfs:comment "An associated Ed25519 public key"@en .

signify:secretKey
    a rdf:Property ;
    rdfs:label "Secret Key"@en ;
    rdfs:comment "An associated Ed25519 secret key"@en .

signify:Signature
    a rdfs:Class ;
    rdfs:label "Signature"@en ;
    rdfs:comment "An Ed25519 signature"@en .

signify:message
   a rdf:Property ;
   rdfs:label "Signed Message"@en ;
   rdfs:domain signify:Signature .

Changelog

v0.2.0 - 2021-03-30

Use ~http://purl.org/signify/ns#- as base URL instead of content-addressing for vocabulary
Encode public and secret key in a URN. Remove unnecessary PublicKey and SecretKey classes
Add secretKey property

v0.1 - 11. June 2020

Initial version

Copyright

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

References

[ERIS] pukkamustard, Encoding for Robust Immutable Storage (ERIS), 2020.
[ContentAddressableRDF] pukkamustard, Content-addressable RDF, 2020.
[RFC4648] S. Josefsson, The Base16, Base32, and Base64 Data Encodings, 2006.
[RFC8032] Josefsson and Liusvaara, Edwards-Curve Digital Signature Algorithm (EdDSA), 2017.
[Signify], Unangst, signify: Securing OpenBSD From Us To You, 2015.