TriNetre - Archive for February 25, 2004

(no longer updated)

« February 24, 2004 | Main | February 26, 2004 »


February 25, 2004
Thoughts on server side signature verification for PGPComment
[Software] @ 07:52 PM

Some people have expressed interest in an extension to PGPComment that performs verification of the comments at the server side itself, instead of putting the onus on the reader.

I have been coding the next version of PGPComment to support this and was faced with some design issues that I thought I will share with whoever is interested.

The design in principle is very similar to the one discussed in the post Verifying PGP Signatures at Six Log. It uses Crypt::OpenPGP to perform the actual verification.

The issues are these:

There are two "places" where the verification can be performed

  1. At the time the comment is submitted.
  2. Every time the comment is displayed.

(1) has the plus point that it is more efficient in terms of computation since verification has to be done only once for each comment. However, to get this to work in MT, one needs to hack core MT files like Comments.pm file i.e it will no longer be just a plugin. Complications can creep in if you need to incorporate other hacks (like MTBlacklist) into these edited MT files.

(2) has the plus point that one will not need to edit any MT files, keeping the codes as pure plugin. However, since verification is done every time the comment is displayed, verification will be (unnecessarily) done more than once.

Which method do you think is the right one?

Similarly there are three ways to get hold of the public key of the commenter

  1. Query the key-servers like pgp.mit.edu
  2. Use the "Comment" section of a signature to pass the URL which holds the public key or
  3. As suggested by Jacques Distler in the comments to the first PGPComment post, parse the homepage of the commenter to get the "link rel="pgpkey" type="application/pgp-keys" href="PUBLICKEY_URL" /" tag and retrieve the publickey from the URL retrieved.

The problem with the third option is that not everyone who has a publickey and comments on a blog might have a webpage. Also, fetching the webpage, parsing the HTML and then fetching the public key is a three-step process. The issue with the first method is that web of trust plays no part in the verification of the keys and hence misinformation is possible. It looks like a good idea to try the second option first and fall back on to first option if it fails.

Do share your thoughts..

Link | Comments (13) |