TriNetre - Archive for March 10, 2004
(no longer updated)
The challenge to propose alternate designs for Project Gutenberg website has resulted in several great designs. Though several of them use too much graphics in their design for my taste, all of them are very interesting.
The design by Bright Corner has a cosy look to it, very similar to an inviting reading chair. It is also distinct in the amount of information it is able to display without looking cluttered. The design by Dan Hodos is great too, though I would have loved it more had it not taken so much space for the logo. Aleksandar Vacia's design is clean and elegant, though at times the light grey font color does not contrast enough with the background. I would hate to read a lot of text without contrast.
Using the dotted lines to represent links looks weird when the link name are names of books, that can stratch across several lines on the left hand side. Diego Mencarelli's design is classy though I wonder whether the tiled background image will sit well with many.
I know this blog is turning into a dumping ground for OpenPGPComment thoughts, but I promise you this will be the last for some time to come.
Several people have somehow interpreted that the basic use of signing the comments, and hence using OpenPGPComment plugin, is to counter the SPAM attacks and crap floods. I am not sure how this connection got established, but if you ask me, signing of comments just will not solve the SPAM problem. Frankly, OpenPGPComment was never meant to tackle the SPAM issue.
The ability to sign comments left on blog was meant to cove two bases:
- Identity theft - On the internet, anyone can easily steal someone else's identity. This is more so in the case of weblog comments since the only thing that one uses to attach an identity to a comment's originator are the name, URL and email address - all of which can be very easily forged. There is no way to forge a valid signature. By signing a comment, what I am saying is, I stand by only those comments I have signed.
- Non-repudiation - Even though we are not talking about things as complicated as contracts, comment signing provides a viable platform to ensure some sort of non-repudiation. Once I have signed a comment, I cannot possibly claim that it was not made by me (unless I also claim that someone stole my private key and tortured me to surrender my pass-phrase). Also, a blog owner will not be able to use his discretion to edit the comment and (possibly) twist my comment. He now has only two choices - either let the comment stand as it is or delete it fully.
Using signed comments to tackle SPAM may sound enticing but it just will not work. Unless something radically different happens, I do not see a widespread acceptance of PGP and related technologies by common bloggers. The understanding of PGP, Web-of-trust and "Point-of-trust" is essential in using signed comments. If the use of signed emails is anything to go by, it will be a long time before ordinary folk will even hear about PGP. Blog owners might be technically inclined to setup OpenPGPComment, but a user who plans to posts comments need not be "geeky" enough to use it.
Another reason is that a typical web hosting environment does not have the necessary ability to perform server side signature verification. So, even if a blog owner sets up the system, it will be restricted to showing the raw signature. A spammer who is smart enough to spam blogs will easily be able to forge a "signature" for a comment. The signature need not (and often will not) be valid, but the blog system will not know this.
My opinion, hence, is that using signed comment to fight SPAM will not work, as it stands now.
With the release of version 1.4, OpenPGPComment now has the ability to perform automatic server-side verification of PGP/GPG signed comments. Do upgrade if you like this feature.
Thanks goes out to Jacques Distler for proposing the mechanism to automatically fetch the public keys for use in verification process as well as for contributing to the codes. Thanks also to Christoph Rummel and Jacques for helping with the beta testing.
Unfortunately, I am still trying to get my hosting provider to successfully install Crypt::OpenPGP. Hence, for now, TriNetre will not be supporting server side signature verification. For a demo on how the whole thing works, do head down to Jacques Distler's blog. [Update on 2004-03-12] Finally got my host to install the modules. So you can see server side verification of comment signature on TriNetre as well!
The system saves the PGP comment as-is into the MT database. When listing down the comments to an entry, the PGP related details are stripped away and only the actual comment is show. Details of the PGP comment in its original form can be got by following the [OpenPGP Signature] link next to the comment. This unaltered post can be used to verify the signature. Optionally, the plugin can even perform a server side verification of the comment.
[Update] - just added a GPG detached signature and clear-signed the MD5 details.
