Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

March 4, 2004

Notes on Comment Authentication

I thought I’d write some more notes on the recent implementation of PGP-signed comments on this blog, which will appear in the next release (version 1.4) of the OpenPGPComment plugin for MovableType.

In my previous entry, I made the obvious point that commenters would like to avoid “identity theft,” and that PGP-signed comments provide protection against that. More broadly, from the point of view of having serious scientific discussions — as occasionally appear here or on the String Coffee Table — you do want some assurance that the person who left a comment really is who they said they are. In the end, we really do care who said what in the discussion.

The anonymous nature of the internet makes the problem of “identity” a hard one. In physics, when we encounter an intractably-hard problem, our most frequent dodge is to redefine the problem to one which admits a solution, and hope that the result is a “good-enough” stand-in for the original problem. In that spirit, I (re)defined the problem as reliably associating comments posted with the websites of the commenters.

For commenters who have an email address, but no web page, I don’t really have a solution, other than to fall back on the traditional PGP Web-of-Trust, which is designed to establish the connection between a signed message, an email address, and an actual person.

To associate a comment with the owner of a website, however, we have a relatively simple strategy. The owner of the website puts a

<link rel="pgpkey" type="application/pgp-keys" href="http://yoursite.com/path/to/yourkey.asc" />

on his homepage. When he posts a PGP-signed comment, and leaves the URL of his homepage, we can use the <link> on his homepage to find the keyfile containing his public key. The key is then stored on the keyring locally, for subsequent verifications of his comment(s). We allow multiple <link rel="pgpkey">’s on a page. So if you have a group blog (say), each author can have his own keyfile. Also, the key isn’t fetched when the comment is posted, but rather when the comment is first verified. You might want to get into the habit of checking the signature on your own comments after posting them. The first time you do that, your key will be downloaded and stored locally.

You’ll note, also, that when you click on a link to verify a comment, we display, not only the verification status and the “UID” information (usually, an email address), but also the URL of the homepage from which it was fetched.

Why?

Imagine we displayed only the UID (email address) associated to the key. Consider the following attack. Bob Evil has a website, nasty.net. Bob creates a public key in the name of Mary Goode, and put a <link rel="pgpkey"> pointing to it on his website. Mary has her own site, nice.com, and is unaware of Bob’s nefarious plans. Bob posts a comment here, in Mary’s name, leaving nasty.net as the URL. Say, on this first comment, we don’t notice the discrepancy (Mary has nothing to do with nasty.net). Having gotten his bogus key onto the keying, Bob can now return and post comments in Mary’s name, leaving nice.com as the URL. The comments will now verify as “Mary’s” (and display her UID) which is definitely bad for her.

The flaw was that we are really trying to verify the comment author’s website, whereas her PGP key is, typically, tied to her email address. The solution is to display the URL of the homepage (nasty.net) from which the key was originally fetched. Now Bob can never fool us into thinking his comments come from the owner of nice.com.

In terms of implementation, the public keys of commenters are stored in a standard GnuPG keyring (not your personal Public-keyring; this one has to be writable by the web-server!). We maintain a separate database of key-id/URL pairs. There’s a bit of a management issue, keeping those two synchronized. We’ll have to write some tools to address that, eventually.

Finally, I want to re-emphasize the importance of making this whole thing easy and transparent for the readers. If verifying PGP-signed comments is tedious, then readers won’t actually do it. In that situation, sporting the little comment-verification link is actually counter-productive. Readers will get into the habit of simply assuming that, if a comment is PGP-signed, it must be genuine. That’s worse than not having signed comments at all. An attacker can attach any-old PGP signature to his forged comment and readers, who might otherwise have been skeptical, will assume it to be genuine.

So start signing your own comments, and get into the habit of verifying the signatures on the comments of others.

Posted by distler at March 4, 2004 10:15 AM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/321

29 Comments & 1 Trackback

Re: Notes on Comment Authentication

I can honestly say that I never see myself signing comments, it’s just overkill.

Posted by: Matt on March 4, 2004 12:59 PM | Permalink

Re: Notes on Comment Authentication

I think you may feel differently the first time someone posts a thoroughly offensive comment on some blog and leaves your name and URL.

I say that as someone who’s been PGP-signing every piece of outgoing email for the past decade.

Posted by: Jacques Distler on March 4, 2004 1:07 PM | Permalink | PGP Sig

Re: Notes on Comment Authentication

It might be a good idea to place a small link just after the comment verification portion explaining what exactly does the verification “assure” the reader.

In essence we should explian that what we can verify is that the comment seems to be signed using the key that was advertised in the URL given as a part of the verification output. The user should, on their part, still make sure that they can reliably tie down the comment poster to this URL/domain.

Posted by: Srijith on March 4, 2004 5:53 PM | Permalink | PGP Sig

What do we know, and how do we know it?

A good point.

There’s a link to my blog post on the subject in the comment-entry form. But I forget that readers verifying comments don’t see that link (unless they go to post a comment).

We do give them all the available information:

  1. the UID on the signing key
  2. the date and time the signature was made
  3. the key-id
  4. the URL from which the key was fetched (which should belong to the comment-author).

But, you are right, it’s not clear to the uninitiated what inferences can (and cannot) be drawn from that information.

Posted by: Jacques Distler on March 4, 2004 7:17 PM | Permalink | PGP Sig

Perhaps a graphical link?

This subject depends heavily upon audience. For me - after reading the original post - the link “OpenPGP Signature” makes clear sense. Perhaps you could add a graphical signal like the lock-image used by many (all?) browsers to denote “secure” pages or (for example) the logos (static and Flash-based) of Verisign.

I hope visitors would not feel compelled to use this link too often or - better yet - only after a dispute arose, so I would place this link after the commenter’s name and use a small lock, checkmark or similar icon, rather than text. You could follow it with a second link to an explanation page, or you could include the explanation on the same page as the good/bad signature. One advatage is that this could save some vertical space on the original page by avoiding a new line for only this link.

Posted by: David on March 5, 2004 2:41 PM | Permalink

Re: Perhaps a graphical link?

I like the idea of a graphical link, which is easily implemented with the current plugin. Someone with better design skills than mine had better design it, though.

As to the placement of the link, that is currently a bit of a kludge. It’s dictated by a desire for an implementation which is a pure plugin, with no modification of the MovableType source code.

A better “What does this mean?” explanation (or, at least, a link to one) will, obviously, eventually find its way onto the verification page.

Unlike you, I want to encourage people to click on the verification link. It’s fast, painless, and — if people get into the habit — prevent disputes over the authenticity of a comment from ever arising.

Posted by: Jacques Distler on March 5, 2004 2:58 PM | Permalink | PGP Sig

Explanation added

Let me know what you think about the explanation offered now on the Signature-Verification page. Hopefully, it’s succinct, but still intelligible to the uninitiated.

Posted by: Jacques Distler on March 6, 2004 10:07 PM | Permalink | PGP Sig

Re: Explanation added

The explanation looks good. Though a bit technical for a person who may have no idea what PGP and signing is, I can’t see any way to explain the basics of PGP in this kind of explanation.

Posted by: Srijith on March 7, 2004 10:04 PM | Permalink | PGP Sig
Read the post Coverage of PGP commenting idea
Weblog: TriNetre - The Third Eye
Excerpt: Some good coverage and discussion on the idea of PGP signing comment posts: PGP-Signed Comments - A good introduction by Jacuqes Distler on why comments should be signed. Notes...
Tracked: March 5, 2004 8:50 PM

Re: Notes on Comment Authentication

This is a test, signed and posted by Mary.

Posted by: Mary on March 7, 2004 9:37 AM | Permalink | PGP Sig

Re: Notes on Comment Authentication

Hey Jacques,

The above signed comment by Mary (mary@nice.com) is made by me, just to illustrate my point, I will detail it later in my blog.

Cheers,

Yining

Posted by: Yining on March 7, 2004 10:35 AM | Permalink

Your blog post

Evidently, you failed to read my discussion above which deals explicitly with this “attack,” and what we have done to protect against it.

Maybe my explanations have been insufficiently clear.

Any suggestions for improving the wording of the Comment-Verification page will be appreciated.

Posted by: Jacques Distler on March 7, 2004 9:24 PM | Permalink | PGP Sig

Re: Notes on Comment Authentication

Yining, I might be being dense here, but I don’t get your point.

Is your point that you could insert a name “Mary”, an email address mary@nice.com and sign the document and it all looks legit? But it does not, because the verification page says clearly that the key was fetched from yining.org! So unless I, as a user, know for a fact that Marry is in some way related to you (to use your site to distribute her key), I will consider the message as being suspicious and will not trust it.

For me to trust a signed comment, I will have to know for a fact that Mary controls the site at yining.org, just like I know for a fact that Jacques controls the site at http://golem.ph.utexas.edu/~distler/

Posted by: Srijith on March 7, 2004 9:59 PM | Permalink | PGP Sig

Three Propositions

Or, to put things yet another way, consider the following three propositions.

  1. Comments I, II and III were made by the same person.
  2. The person who made those comments owns http://www.srijith.net/trinetre/.
  3. That person’s name is “Krishnan Srijith.”

The first proposition is easily verified by the fact that the same PGP private key was used to sign all three comments. We can be fairly confident that the second proposition is also true because that person gave http://www.srijith.net/trinetre/ as their URL, and the PGP Public Key necessary to verify the signature was found at that location. Hence, unless they hacked their way in and planted their key there, they probably own that domain.

As to the remaining proposition, we have no %$#@^ clue. The person might really be named “Mary Goode,” for all we know. And there’s not much you or I can do to resolve the mystery.

But do we care? Probably not. After all, I’m pretty sure the person who owns Eschaton isn’t really named “Atrios.”

Posted by: Jacques Distler on March 7, 2004 10:26 PM | Permalink | PGP Sig

Re: Notes on Comment Authentication

The key point is no longer the strength of PGP signature, but the implicit knowledge that the associattion of the signature and the URL to retrieve the pub key. How trusted is that?

I am not saying such comment authentication via signature is broken, but it’s limited.

BTW, the plugin (or the verification code) seems to fail on text clearsigned by GPG (on linux), and I have submit comment signed by “Mary” using PGP on Windows.

Posted by: Yining on March 8, 2004 1:00 AM | Permalink

How Trusted?

The key point is no longer the strength of PGP signature, but the implicit knowledge that the associattion of the signature and the URL to retrieve the pub key. How trusted is that?

I have no idea what you mean by “the strength of PGP signature”. Could you explain what you mean by that?

In the conventional application of PGP-signing (email messages), one relies on the Web-of-Trust to verify that the signing key actually belongs to the person who purportedly authored the message.

Do you understand the Web-of-Trust model? If you do, then I think you will agree that it’s not a very practical model for authenticating signed blog comments.

We replace it by a model which ties a PGP key to a segment of URL-space. That is both more relevant in the case of blog comments (assuming the commenters have their own web sites) and — a surprising bonus — more amenable to automatic verification.

With the current scheme, it is far easier to decide whether to trust a signed blog comment than it is to decide whether to trust a signed email message using the conventional PGP Web-of-Trust.

I am not saying such comment authentication via signature is broken, but it’s limited.

Of course it’s limited. I’ve tried to be painstakingly explicit about its limitations. There are some things that it cannot tell us. Fortunately, the things it can tell us are the things that I think are the important ones.

BTW, the plugin (or the verification code) seems to fail on text clearsigned by GPG (on linux), and I have submit comment signed by “Mary” using PGP on Windows.

I thought Srijith uses GPG on linux. I’m using GPG on MacOSX. Neither of us has any problems of the sort you describe.

Posted by: Jacques Distler on March 8, 2004 1:51 AM | Permalink | PGP Sig

Re: Notes on Comment Authentication

The plugin does not fail on text clearsigned by GPG on linux.

What you might be experiencing is one of the oddities of clearsign on Linux. If you copying the clearsigned text from Linux console, for some weird reason it adds a space before the newline after the “SHA1” line. For more details, read the comment that starts “Mike, I think I know what is going on..” at this entry.

Posted by: Srijith on March 8, 2004 4:19 AM | Permalink | PGP Sig

Re: Notes on Comment Authentication

Hi -

I am encountering problems when pgp-signing comments which contain a hyperlink with a long URL. For instance when I type the message

This is a test <a href=”http://xxx.uni-augsburg.de/abs/hep-th/0403072”>hep-th/0403072</a>, just as test.,

copy this to my clipboard, sign it, paste it into the comment window again and then preview, then the hyperlink is not displayed.

Maybe in the process of signing something goes wrong with the line-break of the long href= line? Can anyone reproduce this problem with the above text?


Posted by: Urs Schreiber on March 9, 2004 8:28 AM | Permalink

Linebreaks

If you are using GPGShell, it has a brain-dead default option to insert line-breaks into very long lines in your text. You need to turn this option off in the preferences. [It’s unnecessary, even for email, as modern mail clients understand format=flowed, so there’s no need to break up long lines even in email. It’s a downright crazy thing to do in a non-email context.]

This is mentioned somewhere in Srijith’s documentation.

Posted by: Jacques Distler on March 9, 2004 8:39 AM | Permalink | PGP Sig

Re: Linebreaks

Thanks, that works.

I figured that some automatic line breaking might have been the problem but didn’t see how to switch it off. In case anyone else is having problems with this with GPGShell one has to do the following:

- start GPGkeys

- select Preferences -> GPGshell -> GPGtray

- set the item ‘word-wrap clear-signed text’ to 0 (!)


Posted by: Urs Schreiber on March 9, 2004 10:06 AM | Permalink | PGP Sig

Re: Notes on Comment Authentication

That really rocks. Now I want to implement that on my blog.

Posted by: Ted Pennings on November 28, 2004 5:26 AM | Permalink | PGP Sig

Re: Notes on Comment Authentication

This comment serves two purposes. First off, I want to make sure that I’ve set things up correctly for it to show up as a PGP-signed comment. Second, I’m curious to hear what you think about the decentralized identity projects happening at OpenID, LID, and Yadis. MyLid.net provides OpenID, LID, and Yadis services all at the same site. It seems like they are interested in some of the issues that PGP-signed comments address, and LID also has a public key component.

Thanks for any response,
/au

Posted by: Austin Frank on May 22, 2006 1:34 PM | Permalink

Re: Notes on Comment Authentication

I didn’t actually sign the previous comment, but this one should be signed.

/au

Posted by: Austin Frank on May 22, 2006 3:00 PM | Permalink | PGP Sig

Singature spooged

Your key did get successfully downloaded to the database (key id 7C7343324986C0DC). But the signature seems to be spooged.

I’ve tried the OpenID plugin for MovableType, and, frankly, it sucked, as do all of the other implementations I’ve seen. I haven’t seriously looked into Yadis.

For the most part, both OpenID and Yadis seem to be geared towards single-signon, which I find singularly uninteresting.

PGP-signed comments make no pretense to offering single-signon; instead, they offer comment authentication/integrity-checking. Given that it didn’t “just work” when you tried it just now, one might argue that they could yet be made easier to use.

Posted by: Jacques Distler on May 22, 2006 3:17 PM | Permalink | PGP Sig

yeah, new at this

My public key is a 4096 RSA, but I have a DSA subkey that gets used for signing. Is it possible that this is causing a problem?

I re-exported and reuploaded my public key as a sanity check. Maybe this signature will work.

Posted by: Austin Frank on May 22, 2006 3:35 PM | Permalink | PGP Sig

Re: yeah, new at this

Well, there’s something spooged about the key you exported:

gpg: subpacket of type 32 too short
pub   4096R/4986C0DC 2006-05-21
uid                  Austin Frank <austin.frank@gmail.com>
uid                  Austin Frank <aufrank@aufrank.net>
sub   1024D/A6ACA2D5 2006-05-21
sub   4096g/FA70D7C8 2006-05-21

And that’s after deleting and re-importing your key.

Posted by: Jacques Distler on May 22, 2006 4:20 PM | Permalink | PGP Sig

Re: yeah, new at this

Specifically, I think the signing subkey, A6ACA2D5 is missing from the public key you exported.

Posted by: Jacques Distler on May 22, 2006 4:39 PM | Permalink | PGP Sig

Thanks Jacques!

As the whole interweb saw, I screwed up posting my public key previously. Jacques wrote to me to check if I had corrected my setup and offered some help– what a guy! My key worked fine in that correspondence, and I’ve been able to import it successfully on a few different machines, so I’m hoping that this comment will verify using the public key on my website.

Thanks for your help, Jacques!
/au

Posted by: Austin Frank on May 25, 2006 12:28 PM | Permalink | PGP Sig

Not so fast!

It seems there is a bug in Crypt::OpenPGP. The signature on your comment is perfectly valid (as anyone can verify by copying the “raw” comment into their favourite PGP tool and verifying that it was signed with key 0xB7A9E538D7398C2F).

I’ll have to explore what the problem is. Dunno how well-supported Crypt::OpenPGP is these days …

Posted by: Jacques Distler on May 25, 2006 1:21 PM | Permalink | PGP Sig

Re: Notes on Comment Authentication

Hi, i decided that i also wanted to test this thing :)

Sorry for the comment crapping :P

Posted by: Nichlas on October 11, 2007 4:29 AM | Permalink | PGP Sig