Simon Willison’s Weblog

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

1. The comment author enter’s their comment in to a form on the site. They see a standard icon indicating that the blog in question supports comment signing. Rather than manually entering their name and URL, they activate a bookmarklet that they have previously added to their browser.
2. The bookmarklet fills in the name and URL fields for them. It also takes the comment, appends a secret key (stored in the bookmarklet) and finds the MD5 hash of the new string, using the Javascript MD5 library. It inserts this hash in to a hidden field in the comment form.
3. The user can now submit the new comment. That’s all they have to do.
4. The weblog server now kicks in to action. If the comment has not been signed (there is no hash in the hidden field) it adds the comment normally, noting that it should be displayed as an “unsigned” comment on the comments page. End of story.
5. If it has been signed, the server has some work to do. First it must start loading the URL indicated by the user on the comment form. It is looking for a <link rel="signature"> element, which will provide the URL of a signature authenticating web service. If the </head> tag is reached, the system can assume the link element does not exist and can mark the comment as “unsigned”,
6. If the web service is found, the server can now send it the comment and the User’s site URL. The web service (which knows the user’s secret key) will respond with a hash created in the same way as the one constructed by the bookmarklet.
7. If the hash returned by the web service matches the hash provided by the bookmarklet, the comment is considered “signed”. The server can store it as such, and later display it with an icon or style that indicates it is a signed comment. If they do not match, the server can either store the comment as “unsigned” or even flag it as “untrusted”, since it was incorrectly signed.

As you can see, it’s a relatively complicated system. The comment authors must have a custom bookmarklet and add a tag to their home page indicating their authenticating web service URL. Note that they do not need to host the authentication web service themselves—they can instead point to one run by someone else who they trust (trust here is essential as the web service must know the user’s private key). Meanwhile, the blogging system needs to be able to perform HTTP requests.

The key advantage of my system is that, being based on MD5, it is relatively easy to implement (as opposed to a system based on something like PGP). Provided no one points out any immediate flaws, I would happily construct a prototype in PHP. I’m sure a Perl implementation for Moveable Type users would not prove much of a challenge to any talented plugin author.

Security wise, it strikes me that the weakest link is the client side bookmarklet which comment authors would need to use. However, comment signing is not the most critical security application in the world and comment authors could easily change their password by updating their bookmarklet and alerting their signature web-service provider (which could even be themselves) of the change.

And if the signature idea doesn’t win any favour, the idea of having a bookmarklet to fill in your name and URL in blog comment forms is one I’ve been meaning to share for some time.