From f9ffac46bcd5c323d7d415ad8998b90e244b6136 Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Tue, 1 Aug 2023 21:25:19 +0200 Subject: [PATCH 1/8] rephasing the security and privacy section --- dcat/index.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/dcat/index.html b/dcat/index.html index d3eed28a..7cf3b282 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5977,14 +5977,16 @@

DCAT Profiles

-

Security and Privacy

+

Security and Privacy Considerations

The DCAT vocabulary supports the attribution of data and metadata to various participants such as resource creators, publishers and other parties or agents via qualified relations, and as such defines terms that may be related to personal information. In addition, it also supports the association of rights and licenses with cataloged Resources and Distributions. These rights and licenses could potentially include or reference sensitive information such as user and asset identifiers as described in [[!ODRL-VOCAB]]. Implementations that produce, maintain, publish or - consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level. + consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level.

-

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. It is worth noting that the associated checksum will not provide the expected security protections if the integrity or authenticity of the DCAT metadata is also not guaranteed. Integrity and authenticity of DCAT metadata depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level. For example, they should ensure the integrity and authenticity of their API and download endpoints and make DCAT metadata files downloadable from authoritative origins. DCAT does not prescribe the manner of generating the checksum. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied. Development of a canonical method for the generation of a checksum overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored. +

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied. +It is worth noting that the associated checksum will not provide the expected security protections if the integrity or authenticity of the DCAT metadata is not also guaranteed. Integrity and authenticity of DCAT metadata depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints and make DCAT metadata files downloadable from authoritative HTTPS origins.

+

The development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored.

From 09b3fbb884b6ff7d4bda152967baa16a27470126 Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Tue, 1 Aug 2023 21:51:54 +0200 Subject: [PATCH 2/8] adjusting the part related to providing all the detail required by checksum --- dcat/index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dcat/index.html b/dcat/index.html index 7cf3b282..49f51909 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5984,9 +5984,9 @@

Security and Privacy Considerations

These rights and licenses could potentially include or reference sensitive information such as user and asset identifiers as described in [[!ODRL-VOCAB]]. Implementations that produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level.

-

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied. +

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum, and different checksum algorithm might deployed. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied, in particular, indicating the adopted checksum algorithm. It is worth noting that the associated checksum will not provide the expected security protections if the integrity or authenticity of the DCAT metadata is not also guaranteed. Integrity and authenticity of DCAT metadata depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints and make DCAT metadata files downloadable from authoritative HTTPS origins.

-

The development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored. +

Also, the development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored.

From aa8f2a6374d5e9737bf24ec9363e2c5903d93c11 Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Tue, 1 Aug 2023 22:02:42 +0200 Subject: [PATCH 3/8] rephrasing --- dcat/index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dcat/index.html b/dcat/index.html index 49f51909..58d07b55 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5984,9 +5984,9 @@

Security and Privacy Considerations

These rights and licenses could potentially include or reference sensitive information such as user and asset identifiers as described in [[!ODRL-VOCAB]]. Implementations that produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level.

-

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum, and different checksum algorithm might deployed. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied, in particular, indicating the adopted checksum algorithm. +

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum, and different checksum algorithm might be deployed. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied, in particular, indicating the adopted checksum algorithm. It is worth noting that the associated checksum will not provide the expected security protections if the integrity or authenticity of the DCAT metadata is not also guaranteed. Integrity and authenticity of DCAT metadata depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints and make DCAT metadata files downloadable from authoritative HTTPS origins.

-

Also, the development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored. +

Checksums are applied on DCAT distribution, but they could also be explored at the level of the whole DCAT metadata as a further way to ensure the integrity and authenticity of DCAT metadata when this is not achieved differently. The development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored.

From 7031830ccdc9f92bc21d300247a01b68ab1fb54b Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Thu, 3 Aug 2023 15:38:24 +0200 Subject: [PATCH 4/8] Implementing the proposal by Annette --- dcat/index.html | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/dcat/index.html b/dcat/index.html index 58d07b55..ee89875d 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5979,14 +5979,13 @@

DCAT Profiles

Security and Privacy Considerations

- The DCAT vocabulary supports the attribution of data and metadata to various participants such as resource creators, publishers and other parties or agents via qualified relations, - and as such defines terms that may be related to personal information. In addition, it also supports the association of rights and licenses with cataloged Resources and Distributions. - These rights and licenses could potentially include or reference sensitive information such as user and asset identifiers as described in [[!ODRL-VOCAB]]. Implementations that produce, maintain, publish or - consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level. + The DCAT vocabulary supports the datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers and other parties or agents via qualified relations. + Implementations that produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level.

-

DCAT borrows the property spdx:checksum from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. DCAT does not prescribe the manner of generating the checksum, and different checksum algorithm might be deployed. Publishers should provide the necessary detail for the user to reliably calculate the provided hash from the files supplied, in particular, indicating the adopted checksum algorithm. -It is worth noting that the associated checksum will not provide the expected security protections if the integrity or authenticity of the DCAT metadata is not also guaranteed. Integrity and authenticity of DCAT metadata depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints and make DCAT metadata files downloadable from authoritative HTTPS origins.

-

Checksums are applied on DCAT distribution, but they could also be explored at the level of the whole DCAT metadata as a further way to ensure the integrity and authenticity of DCAT metadata when this is not achieved differently. The development of a canonical method for the generation of a checksum of DCAT metadata overlaps with the scope of the RDF Dataset Canonicalization and Hash Working Group, on which DCAT can build in the future. Moreover, the use of Verifiable Credentials Data Integrity [[?VC-DATA-INTEGRITY]] can be explored. +

Some datasets require assurances of integrity and authenticity (for example, data about software vulnerabilities). For these, checksums can serve as a type of verification. + DCAT borrows the spdx:Checksum class from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. Publishers may provide a checksum value (a hash) and the algorithm used to generate the hash for each resource in the distribution. A checksum must, however, be provided via a route that is separate from the data it sums. It may be included in metadata that is provided with the data (e.g., a tarfile that includes a file for the distribution and a file for the metadata that includes a checksum for the distribution file), but if so the checksum, or a checksum for the metadata, must also be provided separately to foil an attacker who would manipulate the checksum along with the data. A checksum provided in DCAT metadata will not provide the expected assurances if the integrity and authenticity of the metadata are not also guaranteed. +

+

Integrity and authenticity of DCAT data ultimately depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints, make DCAT data and metadata files downloadable from authoritative HTTPS origins, and provide any checksums via a separate channel from the data they represent.

From 0f79bcdb6b1822a83764727b6f42501294d3f83d Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Thu, 3 Aug 2023 16:27:56 +0200 Subject: [PATCH 5/8] further adjustement rereading Co-authored-by: Annette Greiner --- dcat/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dcat/index.html b/dcat/index.html index ee89875d..dd8ddaa0 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5980,7 +5980,7 @@

DCAT Profiles

Security and Privacy Considerations

The DCAT vocabulary supports the datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers and other parties or agents via qualified relations. - Implementations that produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed at the application level and transport level. + Implementers who produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed. Sensitive data and metadata must be stored securely and made available only to authorized parties, in accordance with the legal and functional requirements of the type of data involved. Detailing how to secure web content and authenticate users is beyond the scope of DCAT.

Some datasets require assurances of integrity and authenticity (for example, data about software vulnerabilities). For these, checksums can serve as a type of verification. DCAT borrows the spdx:Checksum class from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. Publishers may provide a checksum value (a hash) and the algorithm used to generate the hash for each resource in the distribution. A checksum must, however, be provided via a route that is separate from the data it sums. It may be included in metadata that is provided with the data (e.g., a tarfile that includes a file for the distribution and a file for the metadata that includes a checksum for the distribution file), but if so the checksum, or a checksum for the metadata, must also be provided separately to foil an attacker who would manipulate the checksum along with the data. A checksum provided in DCAT metadata will not provide the expected assurances if the integrity and authenticity of the metadata are not also guaranteed. From c78c75dfe4a76d6b6936b88ef444aae790ffb2fb Mon Sep 17 00:00:00 2001 From: Riccardo Albertoni Date: Fri, 4 Aug 2023 01:15:09 +0200 Subject: [PATCH 6/8] Update dcat/index.html Co-authored-by: Pierre-Antoine Champin --- dcat/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dcat/index.html b/dcat/index.html index dd8ddaa0..dd9f6469 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5979,7 +5979,7 @@

DCAT Profiles

Security and Privacy Considerations

- The DCAT vocabulary supports the datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers and other parties or agents via qualified relations. + The DCAT vocabulary supports datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers and other parties or agents via qualified relations. Implementers who produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed. Sensitive data and metadata must be stored securely and made available only to authorized parties, in accordance with the legal and functional requirements of the type of data involved. Detailing how to secure web content and authenticate users is beyond the scope of DCAT.

Some datasets require assurances of integrity and authenticity (for example, data about software vulnerabilities). For these, checksums can serve as a type of verification. From 466aa4543376b84088c79a34ce5698d67d6fba07 Mon Sep 17 00:00:00 2001 From: RiccardoAlbertoni Date: Fri, 4 Aug 2023 01:45:41 +0200 Subject: [PATCH 7/8] adding some words I missed copying Annette's text --- dcat/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dcat/index.html b/dcat/index.html index dd9f6469..ac60d313 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5979,7 +5979,7 @@

DCAT Profiles

Security and Privacy Considerations

- The DCAT vocabulary supports datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers and other parties or agents via qualified relations. + The DCAT vocabulary supports datasets that may contain personal or private information. In addition, the metadata expressed with DCAT may itself contain personal or private information, such as resource creators, publishers, and other parties or agents described via qualified relations. Implementers who produce, maintain, publish or consume such vocabulary terms must take steps to ensure security and privacy considerations are addressed. Sensitive data and metadata must be stored securely and made available only to authorized parties, in accordance with the legal and functional requirements of the type of data involved. Detailing how to secure web content and authenticate users is beyond the scope of DCAT.

Some datasets require assurances of integrity and authenticity (for example, data about software vulnerabilities). For these, checksums can serve as a type of verification. From c45f14d555b76df13d6a0095d6aa1bd7564ae4f1 Mon Sep 17 00:00:00 2001 From: Riccardo Albertoni Date: Sun, 6 Aug 2023 12:06:11 +0200 Subject: [PATCH 8/8] attempt to unblock ipr checking status --- dcat/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dcat/index.html b/dcat/index.html index ac60d313..e8420044 100644 --- a/dcat/index.html +++ b/dcat/index.html @@ -5984,7 +5984,7 @@

Security and Privacy Considerations

Some datasets require assurances of integrity and authenticity (for example, data about software vulnerabilities). For these, checksums can serve as a type of verification. DCAT borrows the spdx:Checksum class from [[!SPDX]] to ensure the integrity and authenticity of DCAT distributions. Publishers may provide a checksum value (a hash) and the algorithm used to generate the hash for each resource in the distribution. A checksum must, however, be provided via a route that is separate from the data it sums. It may be included in metadata that is provided with the data (e.g., a tarfile that includes a file for the distribution and a file for the metadata that includes a checksum for the distribution file), but if so the checksum, or a checksum for the metadata, must also be provided separately to foil an attacker who would manipulate the checksum along with the data. A checksum provided in DCAT metadata will not provide the expected assurances if the integrity and authenticity of the metadata are not also guaranteed. -

+

Integrity and authenticity of DCAT data ultimately depend on the trustworthiness of the source. DCAT providers should address integrity and authenticity at the application level and transport level. For example, they should ensure the integrity and authenticity of their API and download endpoints, make DCAT data and metadata files downloadable from authoritative HTTPS origins, and provide any checksums via a separate channel from the data they represent.