A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm.
In previous work we have shown how RDF data can be made content-addressable [ContentAddressableRDF]. This automatically allows the integrity of the data to be verified. To ensure authenticity of content we need to mix in some asymmetric cryptography.
RDF Signify s a simple RDF vocabulary (a single class and three predicates) that describes how the Ed25519 [RFC8032] algorithm can be used for signing and verifying content.
RDF Signify can not sign messages directly, but can be used to sign identifiers of content-addressed content. In particular it can sign identifiers of content-addressed RDF [ContentAddressableRDF] that is encoded with ERIS [ERIS].
We believe that RDF Signify is a significantly simpler approach than what is proposed in the context of Linked Data Proofs (previously Linked Data Signatures), allowing much easier implementation and wider adoption.
The vocabulary is inspired by the OpenBSD signify tool [signify].
Public and secret keys are encoded as URNs.
A public key is encoded as an URI as follows:
Where the 32 byte public key is encoded using the Base32 encoding without padding [RFC4648].
A secret key can be encoded similarly:
signify: is used for
A public key may be published and attached to objects (e.g. an ActivityPub actor) using the
For example this can be used to attach a public key to an ActivityStreams actor:
@prefix signify: <http://purl.org/signify#> . @prefix as: <https://www.w3.org/ns/activitystreams#> . <https://social.example/alyssa/> a as:Person ; as:name "Alyssa P. Hacker" ; as:preferredUsername "alyssa" ; signify:publicKey <crypto:ed25519:pk:V4B5SJBQMRDPL4FSLZWCBYJ4BYPAGJDI5EELORBGIADUTWP4EXTQ> .
Similarly to public keys, a secret key may be attached to objects using the
Secret keys need to be kept secret and should never be attached to a object that may be shared or become public.
signify:Signature class defines an Ed25519 signature of a message.
The expected properties of a
The IRI that is signed. Range must be an IRI.
The Ed25519 signature value of the UTF-8 encoded byte sequence of the message IRI encoded as
Public key of the secret key used to sign message.
We believe to have presented a simple vocabulary that enables cryptographic signatures of content-addressed data. We intend to use this as an understandable and implementable alternative to Linked Data Proofs. However the usage of this vocabulary requires data to be already content-addressed (whereas Linked Data Proofs does normalization and content-addressing as part of the signature procedure).
The major hurdle in using RDF Signify is that it requires content-addressing. We intend to continue evangelizing the merits of content-addressing and provide further examples of how RDF Signify can be used in existing systems such as ActivityPub.
The vocabulary is also available at http://purl.org/signify/ns.
@prefix signify: <http://purl.org/signify/ns#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . @prefix owl: <http://www.w3.org/2002/07/owl#> . <http://purl.org/signify/ns#> a owl:Ontology ; rdfs:label "RDF Signify"; rdfs:comment " A RDF vocabulary for cryptographically signing content-addressed content using the Ed25519 algorithm."@en . signify:publicKey a rdf:Property ; rdfs:label "Public Key"@en ; rdfs:comment "An associated Ed25519 public key"@en . signify:secretKey a rdf:Property ; rdfs:label "Secret Key"@en ; rdfs:comment "An associated Ed25519 secret key"@en . signify:Signature a rdfs:Class ; rdfs:label "Signature"@en ; rdfs:comment "An Ed25519 signature"@en . signify:message a rdf:Property ; rdfs:label "Signed Message"@en ; rdfs:domain signify:Signature .
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
[ERIS] pukkamustard, Encoding for Robust Immutable Storage (ERIS), 2020.
[ContentAddressableRDF] pukkamustard, Content-addressable RDF, 2020.
[RFC4648] S. Josefsson, The Base16, Base32, and Base64 Data Encodings, 2006.
[RFC8032] Josefsson and Liusvaara, Edwards-Curve Digital Signature Algorithm (EdDSA), 2017.
[Signify], Unangst, signify: Securing OpenBSD From Us To You, 2015.