TriNetre - Archive for February 23, 2004

(no longer updated)

« February 20, 2004 | Main | February 24, 2004 »


February 23, 2004
Plugin for PGP comments in Movable Type
[Software] @ 05:32 PM

[Update] This project has been renamed OpenPGPComment and has a project page of its own now .

Continuing with my ongoing infatuation with PGP/GnuGP, I have gone ahead and coded a Movable Type plugin, that I have named PGPComment.

PGPComment was inspired by the PGP comment support added by Paul Bausch to his blog. My system is very similar in functionality and design to this original one. The parsing code in take from the Crypt::OpenPGP perl module code by Benjamin Trott.

The system works as follows. For an non-PGP user, nothing changes. Comment entry is just the same. A PGP user can submit a clearsigned comment instead of a plain comment. If you are using PGP or GPGShell, this is a very easy process. As usual, type in your comment (in plain text) into the textbox. Once you have finished, right click on the PGP/GPG Traytool, select "Current Window" and "ClearSign". You will be asked for your privatekey passphrase. Once the correct phrase is given, the comment will be signed and the signed text will automatically be inserted into the textarea, in the place of the plain text.

The system saves the PGP comment as-is into the MT database. When listing down the comments to an entry, the PGP related details are stripped away and only the actual comment is show. Details of the PGP comment in its original form can be got by following the [PGP] link next to the comment. This unaltered post can be used to verify the signature.

The system does not perform any verification of clearsign by itself. Rather the onus is on the comment poster/reader to sign/verify the comment as well as maintain the keyring. This way not only does the working remain hidden from a non-PGP user, but it also prevents undue burden on the host.

As pointed out by a lot of people, the success of this and other PGP based projects rely on the spread of web of trust. Faking of identity is still possible even with the use of PGP/GPG as long as the web of trust is not strong. One way to pass on the information about a user's public key availability is to specify the URL in the "Comment" portion of the PGP signature. This can be done by adding a line similar to the one below in the file "gpg.conf" (if you are using GnuPG):

comment "Key at http://www.srijith.net/srijith_pubkey.asc"

Thus when a message is clearsigned, the location of the public key is embedded in the signature section, making it easier to discover the keys. For example, a sample clearsigned text is given below:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a PGP signed text.
This is its second line.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Key at http://www.srijith.net/srijith_pubkey.asc

iD8DBQFAObhzF4k5uXLdWDgRAmEpAJ0Q1owcEZvNCXhf+Yr7w8P7htAXmwCg
Rr77BTAtI9cuTIdp97I6HrY=
=Szfe
-----END PGP SIGNATURE-----


Notice how the URL to get hold of the public key to verify the signature is present in the signature itself.

Details on using the plugin can be found at PGPComment page. See the comments to this entry for example of non-PGP signed and PGP signed comments.


Link | Comments (27) |