Richard Eriksson pointed to this item by Paul Bausch on the ethics of pinging someone else's TrackBack, which reminded me when I visited that Bausch's onfocus.com is the weblog with PGP comments. As he explains, it's really only doing a little string magic; it's entirely up to the reader to verify the signatures. Ben Trott wrote a response (Six Log's first entry, even) to Paul Bausch's work. Using a plugin or something that fetches keys for Crypt::OpenPGP (which I had no idea Ben Trott actually wrote!) to verify the signatures on the server would be more like what I had in mind.
If we want to depend on existing keyserver infrastructure, we don't need an URL or ID for the key, either, because the key's key ID is already in the message signature. If the only author data we need is the name and email address, we don't really need the author description file at all, because those are attached to the public key. So all you'd need to send is the signed comment. If the comment server didn't have your key, it would ask keyservers for it; when it had your key, it would check your signature, and error if the signature was bad. If the signature was good, it would get your name and email from the key (if you didn't bother entering them in the fields) and display your comment as verified to that key.
This has the plus that it's basically what Paul Bausch has already done, plus Ben Trott's step of verifying the key. You could allow people to just post signed comments like Bausch does, and do all the processing behind the scenes (except the oops if the signature is bad).
This has the other plus that your private key is safe on your computer. I corresponded a little about the idea with Stuart Langridge, and he thought private keys on web servers was basically utter foolishness. If I had thought about implementing it a bit more, I hope I would've agreed before he even said so. For example, on Cornerhost (or at least on the mercury machine), we still don't have suEXEC; for a CGI to sign a message for me, my secret keyring would have to be readable to the apache user... which... would be bad.
The scheme has the minus that you can no longer post from anywhere, only where you have your key. That was the main reason to have a CGI that could sign for you. If you have a shell run by someone you trust, you could put the secret key you sign comments with there to be able to comment from anywhere... but that means you need to shell with ssh, not merely have web. That's not so bad if you carry a copy of PuTTY with you, but it's still more onerous to J Random Commenter. For suEXEC environments, you could still do it with CGI; you'd want to use https to protect your passphrase, though. So if other users snatching your private keyring isn't a problem, a CGI version (both for people on the go and to run as a third-party service) still sounds doable and useful.
It has the minus that it doesn't address editing or deletion at all. You could just POST or PUT a new signed comment to a URI identifying your particular comment, but as I understand it POSTing an empty item to delete the post would endanger your key, if PGP allows it at all. (Would providing a slightly modified comment also endanger your key?) Actually I'm sure there's some protocol or other for this--it's just public key authentication in general, not message signing--I just need to browse Applied Cryptography again to find the specifics.
It has the other minus that if we want any other author metadata, we need the description file again. You can enter an URL for your web site, but that's not authenticated in any way. But then, using public key encryption like this has the general minus that you're only really able to verify the fellow who wrote comment X over here wrote comment Y over there, not that the name and email on the key are right. But there's not really anything we can do about that, other than have some scheme, protocol, or convention for attaching proof to your weblog that you're the owner of the key you're using.
So basically, just PGP signatures gives us all the authentication we need. It's the things we want to build on top of authentication that we'd need more software for:
- Editing comments.
- Deleting comments.
- Aggregating all your comments in one place. (Have the comments server TrackBack a particular URL when you post somewhere? This would require an author description file again.)
