Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Comment Authentication Prototype

I’ve built a prototype of the comment signature system discussed earlier. The prototype consists of an authentication server which anyone can register with and support on this blog for verifying signatures. So far it seems to work.

To gain the ability to sign comments:

  1. Add the following HTML to the head section of your homepage/weblog: <link rel="sigserver" href="http://simon.incutio.com/auth/confirm" />
  2. Create a comment authorisation account.
  3. Log in to your authorisation account and add the bookmarklet it provides you with to your browser.
  4. You can now sign a comment on this site (and any others that support the prototype) using the bookmarklet. You must activate it while looking at the entry page containing the ’Add Comment’ form. The site will do the rest. Note that the bookmarklet will fill in the name, email and url fields on the form, saving you the hassle.

To add support for comment authentication to your own blog (assuming it uses PHP):

  1. Grab this file: sig-confirm.inc.php. It contains a function which can be used to confirm a signature. It requires IXR, which you can download from here.
  2. Make some minor modifications to your ’add comment’ form, to make it compatible with the bookmarklet. You need to assign ID attributes to the input fields for name, email and URL of ’commentFormName’, ’commentFormEmail’ and ’commentFormURL’ respectively. You also need to add a hidden field like this one: <input type="hidden" name="signature" id="commentSignature" value="" />
  3. Modify the code that processes the add comment form. If ’signature’ is not an empty string, the comment has been signed so confirm the signature by calling the confirmSig() function (documentation of the arguments is included in the sig-confirm.inc.php file). If the function returns true, flag the comment as signed. I suggest doing this by saving the signature variable along with the rest of the comment.
  4. When displaying comments, be sure to visually indicate comments that are “signed”.

The system is decentralised, so if you want to host your own authentication server rather than relying on mine feel free to grab the PHP code (warning: it’s a bit of a mess) and use it as a starting point.

This is more of a proof of concept than anything else, so feedback and suggestions would be very welcome.

Incidentally, this isn’t the first time this problem has been tackled. See here and here for details of a system that uses PGP to sign and verify comments.

Posted 24th July 2003 at 3:36 pm

This is Comment Authentication Prototype by Simon Willison, posted on 24th July 2003.

View blog reactions

Next: Mailinator and email validation

Previous: Mozilla 1.5a and Firebird 0.6.1

29 comments

  1. And here's a signed comment.

    Simon Willison - 24th July 2003 15:36 - #

  2. Now this is triumph of shoot first, ask questions later! After reading Sam Ruby's post was pondering the MS Passport / Liberty Alliance like implications... Still pondering...

    The main issue for me is how to do this without one server becoming the central point for authentication, partly for when the server goes down and also to prevent any one person/group owning the network. Perhaps there needs to be some concept of a "domain" which is a group of authentication servers (that "trust" each other) but that implies "domain servers" which know about auth servers within each domain.

    If this could be hooked up with the phpBBs / vBulletins out there, suddenly it's looking very significant

    Harry Fuecks - 24th July 2003 16:01 - #

  3. Right now <link rel="sigserver" href="http://simon.incutio.com/auth/confirm" /> results in "Illegal tag: link" BTW.

    Harry Fuecks - 24th July 2003 16:02 - #

  4. What's giving the "Illegal tag" error message? You need to add it somewhere in between <head> and </head> on the page that you "sign" comments with (in your case www.phppatterns.com) - all the system is really doing is confirming that the person who wrote the comment is the person who has control over the URL they entered as their home page.

    Simon Willison - 24th July 2003 16:11 - #

  5. Whoops - afternoon stupidity. Gotcha

    Harry Fuecks - 24th July 2003 16:14 - #

  6. I've only done quick review of the code, but I may have spotted a serious problem. Simon, if I were to enable this on my server and then somehow entice you to sign a comment on my machine, wouldn't I then have your signature to do with as I please? Since your current implementation seems to require login, couldn't you achieve the same effects by requiring all registrations be signed, and then simply rely on login? However, I must admit that having thought about it, the idea of PGP signing that you linked to above is starting to grow on me. I was talking to Don Park on IRC about digitally signing RSS/Atom entries. Such signatures could also be made to work on blogging API.

    Sam Ruby - 24th July 2003 16:42 - #

  7. By sign a comment on your machine, do you mean get me to log in to the comment system using your PC, then install the bookmarklet? If so then yes, that would lead to a compromise but the same is true of any login based service (hotmail for example). I may have misunderstood your concern though.

    Simon Willison - 24th July 2003 16:46 - #

  8. Incidentally each 'signature' is a randomly generated, one-time password. It should only be used to sign the comment it was created for. In fact, my current implementation does allow signatures to be re-used but this is an oversight (I'm working to fix it now).

    Simon Willison - 24th July 2003 16:48 - #

  9. Shouldnt this be the other way around ? For example, if I want to post a comment here, I open the bookmarklet which then posts a form to my server. Its in my server where I have a comment form (and its also where my personal info is stored) which now knows where to post the comment to. This way I can have my own editor in my own private place. Granted, there has to be a way a standard way to post comments.

    edmz - 24th July 2003 16:51 - #

  10. Great!

    Jesper - 24th July 2003 18:39 - #

  11. Not so great, by the way. The bookmarklet throws an error in IE6.

    Jesper - 24th July 2003 18:41 - #

  12. OK, I guess this is a test of a signed comment. :) (Jesper: IE6 is the error.)

    michel v - 24th July 2003 21:47 - #

  13. Moz Firebird's JS console throws this error:

    Error: missing ; before statement

    Source File: http://simon.incutio.com/auth/bookmarklet

    No URL!

    And your comment form should support the br tag, IMHO. And not cry that the XHTML is not well-formed when I try to use a non-breaking space. ;)

    michel v - 24th July 2003 21:58 - #

  14. Simon: No luck, same "No URL error" with Firebird.

    edmz: this is what I'd favor. It is like a TrackBack except that instead of writing a post on your weblog, it sends your prose to the site which adds it to the comments with a treatment that says this comment comes from your site.

    I admire Simon for putting a prototype in such a short time. I wish I knew Perl to hack MT and prototype the TB-like comment I envisionned.

    François - 24th July 2003 23:09 - #

  15. Simon, how do I sign in back to your authentication server?

    I'm trying to test the bookmarklet with IE/Mac (not that I'd change my browser of choice just for a bookmarlet ;-) but I want to try) but it complains that I need to sign in first.

    François - 25th July 2003 11:17 - #

  16. Simon: Something you may be interested in.

    zlog - 25th July 2003 12:55 - #

  17. Simon: I think Sam means - although I could be wrong - wouldn't submitting a signed comment to someone elses comment system give them your signature to use?

    Gary F - 25th July 2003 13:28 - #

  18. Just giving this a try. I do hope you get a bookmarklet working in IE6 soon, but I'll use mozilla for the time being. For those who are confused about how to get back in when they've lost their cookie, the login page is here. Took me some guessing to figure out.

    Jordan - 25th July 2003 14:59 - #

  19. Well, that didn't work at all. Did I do something wrong? I added the <link> to my site, logged into the auth server, clicked on the bookmarklet while here at the comments page.. nada.

    Jordan - 25th July 2003 15:06 - #

  20. Trying...

    François - 25th July 2003 15:40 - #

  21. Nada itou (IE5/Mac) Bookmarklets don't like me :(

    Francois - 25th July 2003 15:42 - #

  22. While I'm waiting for this to magically start working, I'd like to say that Simon's proposal, in my eyes, is far superior to any of the proposals I've seen here or linked. This is for one reason: To use Simon's signing message, I don't have to navigate away from the current page. A lot of people seem to be suggesting that this be done similarly to Trackback. But why on Earth would I want to go to my weblog in order to post to Simon's page? Why should I have to? Also, Simon's method doesn't require me or the developer to add any functionality to the blogging software that I use. I just have to add a single line to my template, something which any user can do. No software upgrade required. Likewise, a lot of people are suggesting that this is no better than an ordinary user registration/login system, but that's certainly not the case. If other web sites adopt Simon's "protocol", I still don't have to sign up at their sites, because I'm already signed up at Simon's auth server, and my web site's link points there. Or I could set up an auth script just for me on my web server, and henceforth leave Simon entirely out of the loop.

    Jordan - 25th July 2003 16:45 - #

  23. The bookmarklet won't work for me either in IE6: line 2 char 4 expected ';'.

    Francois PLANQUE - 26th July 2003 11:28 - #

  24. Testing...

    Wayne Burkett - 28th July 2003 05:07 - #

  25. michel: Do you think this will fly without IE6 support?

    Jesper - 29th July 2003 14:57 - #

  26. Hi Simon, I have another simpler way, what do you think of it?

    François - 1st September 2003 12:29 - #

  27. sdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsdf

    Pawel - 17th March 2004 18:30 - #

  28. Testing the authentication feature...

    Aaman - 9th June 2005 14:05 - #

  29. I didn't read all the posts, but for a distributed and working identification service, see OpenID. http://openid.net/

    zimbatm - 14th October 2005 12:03 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/07/24/commentAuthenticationPrototype

A django site