Skip to content
This repository has been archived by the owner on Jul 29, 2018. It is now read-only.

Home

Jump to bottom
Mike Tigas edited this page Apr 29, 2014 · 15 revisions

This is a project of the U.S. Open Data Institute to provide a system where open data released by governments can be authenticated by end users — whether or not the data was downloaded from the official source.

Government data releases need to abide by local laws (for example, the District of Columbia Official Code) and should also abide by the Uniform Electronic Legal Material Act (UELMA). Part of the UELMA provisions state that “legal material be…authenticated, by providing a method to determine that it is unaltered”.

This project aims to provide agencies with a web-based interface to provide this functionality.

Care should be taken to avoid misinterpreting data integrity as inclusive of authentication. Not only should a user have the ability to validate that data has not been tampered with since release, but a user must also have the ability to authenticate that given data was provably distributed by a given agency at some point in time (and not simply a well-constructed checksum collision).

High-level needs

  • Users must be able to upload a data file to double-check that the file was actually released by the agency and has not been tampered with.
  • Advanced users should be able to retrieve file hash information or PGP signatures (depending on final implementation details).
  • Administrators must be able to upload data files and provide metadata about said files.
  • Administrators must be able to edit file metadata and upload new versions of data files.
  • Administrators must be able to remove files from the service.

Architecture

A basic Django application, configured and integrated with this fork of python-gnupg, a wrapper around the gnupg command-line client.

It is recommended that a previously unused GPG key be used for installations of this project. (This project should eventually contain a "setup script" wrapper that shields all actual GnuPG complexity from an implementor of this project.)

GnuPG private key material (which the authentication site instance uses to authenticate data in addition to provide data integrity

Some basic sketchwork:

Clone this wiki locally