Phillip Pearson - web + electronics notes

tech notes and web hackery from a new zealander who was vaguely useful on the web back in 2002 (see: python community server, the blogging ecosystem, the new zealand coffee review, the internet topic exchange).


Authenticating weblog comments

An interesting comment just showed up on the You Know Me button post back in January. Is anyone working on this sort of thing at the moment?

It looks like there are basically two ways to do simple trusted comments to do it: you can trust a remote server to do the authentication, or you can sign everything and make everyone verify signatures. The latter is more secure (end-to-end) but the former will work with any blogging tool.

Here are some thoughts on existing and possible future systems. How they work / how to make them work.

The comment system here: no identity verification

Here, you enter a name, e-mail address and URL and it gets put down as-is. No verification.

Manila / Slashdot: create a local account

On some sites, you create a local account and your comments are attributed to that account (or marked anonymous). You can still use someone else's name (e.g. cmdrtac0) but you can't use one that's already taken.

Passport: remote account

Sites using Microsoft's .NET Passport system send you over to the Passport site to log in. Once you are logged in, the Passport site sends you back to the original site with some sort of identity certificate.

This is pretty good: it means you only need one login, and you don't let individual sites know your password (only the Passport site knows it) when you log in, so it makes things a little safer. (You can use the same password everywhere and only have to trust Passport to keep it safe, rather than having to trust every site).

Presumably Liberty Alliance does the same thing.

The only problem that I can see with this is that there's no way for visitors to know if a comment is authentic or not. The site that got the authentication cookie from Passport knows that you are genuine, but it can't prove to anyone else that you (and not the site admin) wrote the comment. Client-side signatures (see below) can do this.

Client-side signatures

This is what Scooter's comment (on the January post) is about. You make up a private/public key pair, make your public key available from your blog, and sign all remote comments with your private key. That way, the site you post to (and any visitors) can verify the signature and tell that you wrote a comment.

The way I'd implement this would be to have a script on your own site that signs comments for you and posts them via some sort of comment API (maybe Joe G's one) back to the original site. Either that or a script on your site that signs a comment -- the blog you are commenting on lets you type in a comment, and then sends you back to your site to enter your password and get the comment signed, and then you get sent back to the original site with your comment plus a signature block.

The signing script could easily be included in hosted blogging tools like Movable Type, Manila and Blogger, or it could be hosted separately. I could do a server like the Topic Exchange to host it, although Syndic8 or someone with a reasonable user base might be a better choice.

The cool thing about this approach is that it doesn't necessarily have to have the support of the people running the blogs (where you are posting comments). If the signing script can generate signature blocks for comments, you could paste a comment plus signature anywhere you like. This is similar to how people do it with e-mail: I don't have an encryption system set up, so GPG / PGP signatures just show up at the bottom of messages for me. However, if I did set one up, I could verify signatures on messages. The e-mail transport system doesn't have a clue what's going on, though, and never needs to.
... more like this: [, ]