## February 28, 2004

On the internet, nobody knows you’re a dog.

In one way, that’s great. If you want to be anonymous, there’s plenty of scope for it on the internet. Even when you post comments on this blog and I ask you for an email address and/or a URL of your website, nothing prevents you from entering totally bogus ones.

On the other hand, say you’ve already established something of an online identity, perhaps through your own web site, or as a frequent commenter at this or some other blog(s). What prevents someone else from coming along and posting a comment here, leaving your name and your website’s URL to identify himself? Put another way, how can readers determine the authenticity of comments left here?

Let me pause to say what I mean by ‘authenticity.’ Most readers of this blog have never met you, personally. They know you through your comments, and perhaps through your own web site. What they would like to know is that the person who authored the comment in question is the same person who authored those other comments and who runs that web site1.

Well, now there’s a way to reassure them. If you have a PGP public key (if you don’t, create one for yourself), put a link to it in the <head> section of your web page:

<link rel="pgpkey" type="application/pgp-keys" href="http://yoursite.com/path/to/yourkey.asc" />

Then you can

1. Compose and preview your comment as before.
2. Edit it, as needed, and preview again.
3. When you’re satisfied with the final form of the comment, use GPGDropThing (for MacOSX) or GPGShell (for Windows) or your favourite PGP tool to clear-sign the text in the comment-entry box. Paste the clear-signed comment into the comment-entry box, replacing the unsigned version.
4. Click PREVIEW once again, and then click on POST.

To outward appearances, your comment will look no different than before. The only difference will be a clickable link to “verify” the comment.

If you, or another reader, clicks on it, your key is fetched from the URL specified in the link on your web site, and is used to verify that you — and you alone — composed the comment. The key is cached locally, so subsequent verifications of the signature will be nearly instantaneous. The raw, clear-signed comment is available, so paranoid readers can check the signature themselves — provided they have your public key.

I’d been thinking about implementing this for a while, and even went through the hideously-complicated process of installing Crypt::OpenPGP on MacOSX. Fortunately, Krishnan Srijith did the rest of the heavy lifting and wrote a MovableType plugin. I added a few of my own tweaks and … there we are.

Update (3/3/2004): Automatic fetching of PGP keys, as described above is enabled now. In my and Srijith’s limited testing, it seems to work well. But please let me know if you encounter problems.

Update (3/5/2004): I’ve posted some more thoughts on PGP-signed comments.

1 This is a little different from the exigencies of verifying the identity of the author of an email, which is the traditional use of PGP signatures. There, the PGP “Web-of-Trust” model works fairly well. Here, it doesn’t necessarily work so well, a point elaborated on in greater detail by Phil Ringnalda.

Posted by distler at February 28, 2004 2:40 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/320

Though I’m not quite as sure as I once was that we absolutely can’t use the keyservers. I’m getting the feeling that it’s quite within spec to use the various levels of signature in any way you like, as long as you

1. Explain yourself at your embedded Policy URL
2. Are willing to be frowned upon

So from my current understanding, if we all simply said that we would sign any key we retrieve from either a commenter’s URL or a URL in a signed comment’s PGP comment at class \0x12 (“Casual certification of a User ID and Public Key packet. The issuer of this certification has done some casual verification of the claim of identity.”), then we could quite often use the keyservers rather than getting the key from a website, while manually verifying signatures. If I see a signed comment from someone new to me, but the key I get from the keyserver says that you and Srijith have both signed it, I’ll call that good enough. Of course we’ll probably piss off the rest of the WoT community, who seem to feel that anything less that two pieces of photo ID means you’re probably an alien, or the NSA, but so be it.

Posted by: Phil Ringnalda on March 1, 2004 12:12 AM | Permalink | PGP Sig | Reply to this

If I see a signed comment from someone new to me, but the key I get from the keyserver says that you and Srijith have both signed it, I’ll call that good enough.

That — for present purposes — would probably be good enough for me too. But I would require a higher-level of assurance before I started exchanging encrypted email with that person.

Really, I don’t care where I download the key from (the keyserver is fine by me). What I want is an easy way to verify the association of a given public key with a commenter’s “web identity” (for present purposes, their web URL).

To the extent that it’s possible, I’d like the association to be done automatically, rather than by manually perusing the signatures on a public key.

Right now, when the number of people PGP-signing blog comments can be counted on the fingers of one hand, doing things manually sounds OK. But it’s clearly an impediment to widespread adoption. And if, by some miracle, PGP-signing of blog comments were to become widely adopted, manual verification of the authenticity of the commenters public keys would not be viable.

We need something better.

Posted by: Jacques Distler on March 1, 2004 12:42 AM | Permalink | PGP Sig | Reply to this

Quiet true. But then, even after the verification tools are ready, for a blog owner like me, who cannot install Crypt::OpenPGP, verification will still be a dream :)

BTW, what do you use to query the keyserver to fetch the public key of the commenter? The email address? I hope not, because I do not enter a plain spam-friendly email address to the blog comments. Or do you use just use the keyid?

Posted by: Srijith on March 1, 2004 3:02 AM | Permalink | PGP Sig | Reply to this

I have to say, Jacques, that’s pretty amazing. Need I say it? You’re a genius.

P.S. This post was not really made by Jacques Distler. It was made by me, Harold J. Johnson, of VoyagerRadio. I can be reached at Harold@VoyagerRadio.com.

Posted by: Jacques Distler on March 1, 2004 3:01 PM | Permalink | Reply to this

### Impersonators

Well, it ain’t done yet. We still need to implement the autodiscovery of PGP public keys thingamajig.

Luckily, now I don’t have to delete the imposter’s comment. I merely have to point out that it wasn’t signed by me, so there’s no reason to believe it actually was from me.

Posted by: Jacques Distler on March 1, 2004 4:24 PM | Permalink | PGP Sig | Reply to this
Read the post Coverage of PGP commenting idea
Weblog: TriNetre - The Third Eye
Excerpt: Some good coverage and discussion on the idea of PGP signing comment posts: PGP-Signed Comments - A good introduction by Jacuqes Distler on why comments should be signed. Notes...
Tracked: March 5, 2004 8:49 PM

I went through a lot of trouble getting comments verified.

The problem was Mac OS X is encoding special characters in UTF-8, and GPG usually is configured to sign using charset utf8 as well. But when I copy and paste the signed comment to MTs comment text area and submit it, a silent conversion to ISO-8859-1 is done. The Umlauts (which in my case I am using when writing German) still look the same, but the signature has become broken.

When I copy the raw comment back to GPGDropThing and verify the signature, it verifies alright (as it just has been converted back to UTF-8 for displaying on Mac OS X), but the serverside verification done by the OpenPGPComment plugin is being done against the ISO-8859-1 encoded comment and thus fails having a bad signature.

I seems to require some knowledge on side of the commenter to handle encoding problems like this.

(BTW: Mailprograms ship around this kind of problem by converting the message to quoted printable prior to signing the message.)

Posted by: Christoph Rummel on March 6, 2004 12:49 AM | Permalink | PGP Sig | Reply to this

### Encoding issues

There are two configuration options in your gpg.conf file which bear on this:

charset utf8 / charset iso-8859-1
utf8-strings / no-utf8-strings

Do you know which combination (if any) solves the problem?

For what it’s worth, if your signature were broken for server-side verification, it would, most likely, also be broken when readers using other operating systems try to verify the raw comment.

Posted by: Jacques Distler on March 6, 2004 8:42 AM | Permalink | PGP Sig | Reply to this

### Re: Encoding issues

I commented both utf6-settings out to default back to iso-8859-1. This way it works.

The strings-setting seems to be only applicable to cammandline-parameters, so charset is the thing that has to be set to iso-8859-1 or commented out, which is the default.

Yes, as long as those signatures ar not verified on a system using UTF-8 as standard encoding, the signature will be broken.

Posted by: Christoph Rummel on March 6, 2004 12:23 PM | Permalink | PGP Sig | Reply to this

### Re: Encoding issues

The strings-setting seems to be only applicable to cammandline-parameters

Not so. They are perfectly good setting to appear in the configuration file, and they are directly relevant to the issue at hand. There are, as I said, 4 different combinations to choose from. It would be useful to know which of the 4 lead to valid signatures.

charset is the thing that has to be set to iso-8859-1 or commented out, which is the default.

What the default charset for gpg is depends on your Locale.

And, the default charset on your system doesn’t really change the charset of your comment. Just because (say) your system is using koi8-r (Russian) encoding, your comment on my blog still has to be in iso-8859-1, 'cuz that’s the charset of my blog.

But these are edge-cases. In your situation, setting the charset in gpg.conf to iso-8859-1 is perfectly appropriate – for both your purposes and mine.

It just may not work for everyone.

Posted by: Jacques Distler on March 6, 2004 12:55 PM | Permalink | PGP Sig | Reply to this

Posted by: Robert Ames on August 1, 2006 4:23 PM | Permalink | Reply to this

How about using the Open ID?

Posted by: Jasmine P on May 29, 2009 6:27 AM | Permalink | Reply to this
Read the post Server-side signature verification in OpenPGPComment
Weblog: TriNetre - The Third Eye
Excerpt: With the release of version 1.4, OpenPGPComment now has the ability to perform automatic server-side verification of PGP/GPG signed comments. Do upgrade if you like this feature. Thanks goes...
Tracked: March 9, 2004 9:20 PM
Weblog: Curiosity is bliss
Excerpt: How do you authenticate when posting comments? How do you follow up on comments you posted? Simon's comment authentication via url ownership Simon Willison designed and prototyped a nice solution to authenticate yourself by a url (say your blog's addre...
Tracked: April 9, 2004 5:08 PM
Read the post Microsoft Passport 101
Weblog: Curiosity is bliss
Excerpt: ...a simple explanation of the Passport web authentication protocol......
Tracked: April 22, 2004 11:55 AM
Weblog: Musings
Excerpt: A serious MovableType security vulnerability.
Tracked: January 18, 2007 10:02 PM

I’m having some trouble with PGP signed comments. The blog software
seems to be going to the correct URL to find my public key
(http://tqft.net/key), but then reports:

==========================================
Key not in ring. Fetching…

Going to find author’s pubkey URL from his homepage http://tqft.net/

Going to get the public key from http://tqft.net/key

Error verifying signature: Could not find public key with KeyID
6831e9b2915df007.
==========================================

I’m not sure what’s wrong; I’m fairly certain I’m signing the message
with that same key. If anyone would like to try to debug this for me,
you can start simply by checking the PGP sig on this message!

Posted by: Scott Morrison on January 29, 2007 1:33 PM | Permalink | PGP Sig | Reply to this

Works now.

For reasons that I am not entirely clear about, the keyring that stores the previously-fetched public keys got screwed-up in some way.

Starting with a fresh keyring worked fine. Your key imported, and the signature verified.

Unfortunately, this means that a few previously-fetched keys are now “404”, as their owners have moved on, and no longer have links to their public keys on their site(s). :-(

Posted by: Jacques Distler on January 29, 2007 5:13 PM | Permalink | PGP Sig | Reply to this

I’m having the same issue, it would seem, with my own setup. I’ve tried it out here: http://golem.ph.utexas.edu/category/2006/09/this_weeks_finds_in_mathematic.html#c030557
and in the reply to that outlined the issues I’m having. Short one is that I’m getting the same error message as Scott quoted above.

Any hope for a check?

Posted by: Mikael Vejdemo Johansson on December 27, 2009 6:17 PM | Permalink | PGP Sig | Reply to this

When I did so, I go the following error message:

gpg: key E06CEFE4: public key "Mikael Vejdemo Johansson " imported
gpg: key C07CCCCD: public key "Mikael Vejdemo Johansson " imported
gpg: Total number processed: 2
gpg:               imported: 2
gpg: subpacket of type 5 too short
gpg: no ultimately trusted keys found

I don’t know what “subpacket of type 5 too short” means. But, evidently, it added your key just fine, and now your signature verifies.

Posted by: Jacques Distler on December 27, 2009 8:53 PM | Permalink | PGP Sig | Reply to this

Nice to see some implementations, i will be playing with this too

(does this work with keyserverlookups? lets see)

Posted by: Jochem on February 19, 2007 12:33 PM | Permalink | PGP Sig | Reply to this

### Keyserver lookups

The href attribute of the <link rel="pgpkeys"> element can perfectly-well be a keyserver lookup (though it’s probably easier and more reliable to point to a static file on your website).

But, no, you have to prove to me that you own some piece of URL-space, by placing that element in the <head> of your web page.

Posted by: Jacques Distler on February 19, 2007 12:45 PM | Permalink | PGP Sig | Reply to this

PGP signed comments could solve a lot of problems but I guess that less then 1% of all Internet users know what PGP actually is.

If this does not work as a black box, PGP will be used only by a small group of users.

Posted by: anonymous email on May 29, 2007 2:25 AM | Permalink | Reply to this

I’ve started PGP-signing all my comments on the n-category cafe, mostly because that way other people can view the source, but I do also like the idea of verifying the identity of posters.

However, now that I’m a co-host of the cafe, I receive email about all comments on one of my posts. For signed comments, these emails include the signature data, but it doesn’t verify correctly. I think this is because the comment text inside the signature block has been line-wrapped with hard returns, so it’s not the same as the original text that was signed.

Posted by: Mike Shulman on October 9, 2009 3:57 PM | Permalink | PGP Sig | Reply to this

The problem is entirely due to line-wrapping of the comment-body. When I tried to verify the copy of your comment that arrived by email, the verification failed. However, removing the line-feeds (turning your two paragraphs back into one long line each), the signature verified.

PGP, used for signing emails, typically has a feature to linewrap your message (before signing) to prevent this (and other) problem(s) created by inconsiderate mailers. I suspect suitable MIME-encoding the email would serve the same function. Dunno about the practicality of actually implementing something like that …

Posted by: Jacques Distler on October 9, 2009 9:52 PM | Permalink | PGP Sig | Reply to this

Is this in anyway related to OpenID? This is kind of old and I think OpenID has now kind of replaced this. Maybe OpenID uses this.

Posted by: Ed on September 10, 2010 7:19 PM | Permalink | Reply to this

Is this blog post the closest thing there is to a spec for rel=pgpkey?

Posted by: Henri Sivonen on June 3, 2011 8:47 AM | Permalink | PGP Sig | Reply to this

Is this blog post the closest thing there is to a spec for rel=pgpkey?

Effectively. Blame Phil Ringalda.

Posted by: Jacques Distler on June 3, 2011 9:37 AM | Permalink | PGP Sig | Reply to this

OK. I registered pgpkey as an HTML5 rel keyword using this post as the spec.