It’s just data

Signing Comments

Simon Willison has joined a discussion on signing comments.  This is a topic that has fascinated me for some time, but I haven't done anything about... yet.

Having signature authenticating web service would also be valuable in a posting API.

Identity at comments really has two aspects, first and foremost, to discourage spam or to ban abusers, and secondly, to trace comments back to the person who claimed to make them.

Neither of which needs to get into the complexity of signing. And both of which can be enabled by a set of centalized identity services, federating, or even each blog maintianing its own identity system, or even caching upstream identities.

I suspect this is one of those cases where decentralization for its own sake makes it harder for the actual user, who now has to install a bookmarklet, rather than having had to do one of those click on link in email signup things. Atleast this proposal dosent waant to do the pgp signing stuff people were talking abot earlier.

Why do we programmers have aa tendency to complicate things more than they need to be (its something i have to actively counteract in me too)?

Posted by Rahul Dave at

Signing comments

Some interesting ideas from Simon Willison : Signing comments on blogs. (spotter : Sam Ruby)......

Excerpt from Formerly Echo at

My comments here: http://www.ideaspace.net/users/wkearney/archives/entries/000394.html

Posted by Bill Kearney at

Prior efforts from Paul Bausch, using PGP to protect identity:

http://www.onfocus.com/pgp-demo.asp
http://www.onfocus.com/index.asp?xml=2002_11_01_past.xml#3005

Posted by scottandrew at

Ben's also done some work on this:
http://www.sixapart.com/log/2002/12/verifying_pgp_s.shtml

Posted by Anil Dash at

I've played around some here as well, see FoafCheck, with more complete details of the intended comment signing process summarized in FoafIdentityAssurance.

Posted by Ken MacLeod at

I've put together a prototype. The unique thing about this system is it doesn't require PGP, or any other third party software (in fact it doesn't even require a hashing algorithm) - signatures are made by generating a one-time random string, which is stored with the comment and recorded as belonging to a particular user. The bookmarklet acts as the go-between, and the validation server is used to confirm that the signatures match. It ends up validating the user's homepage rather than the user's name, as the homepage is where the authentication server information is found.

Posted by Simon Willison at

Add your comment