PGP Signed Comments

TypePad might be a centralised weblog comment registration service, but due to recent change of MT license discussed in my previous post, I have lost my hope of utilising TypeKey, which currently only supports Movable Type 3 and TypePad. Later I found an interesting discussion on using PGP signed comments for authentication. Jacques Distler talked about ways to get commenters to fill the comment textarea with PGP clear-signed text, and some sort of authentication would be done at the server end to validate the signature. A Movable Type plugin, OpenPGPComment, has already been written. It would be cool if it can be integrated with PGP's ring of trust, to make comments display instantly or queue for moderation. For example, people that I trust, either because I've signed their public key or they are trusted by the people I trust, would be able to comment straight away. Others, if the comments are not PGP signed, or the key is not trusted, would have to wait for their comments to be approved.

Sounds like a great solution for authentication, with strong cryptography too!

However, PGP signing still has some problems. Beside the encoding differences between PGP and browser which invalidates the signature after post, which has been discussed in the article, clear sign also has line wrapping issues at 68 characters. Depending on how blogging software handles the line breaks, it might yield undesirable results. Latency fetching an unknown key off a key server can be an issue (for me at least).

The biggest problem is probably the adoption of PGP - not everyone is a PGP user. Actually, most people have no idea what PGP is! Would people care about the type of cipher and the key size, when they are prompted to create a key? Even if they do happen to have created a key so they can comment on someone else's blogsite, are they going to bring their private key and Open PGP compatible software around, when they need to post on someone else's computer? Are they going to remember their passphrase? Even if they have everything ready, it is also "troublesome" for some to cut and paste clear signed text into the browser.

We use GNU Private Guard extensively in our software at work. Every developers would have their own key so they can sign various parts of our package. Two weeks ago I was going through our centralised keyring, and a few developers already have their keys expired. Chasing down to have them fixing it up, one has already forgotten about the passphrase, so we ended up having to create new keys and re-sign the lot. We did not have a proper PKI, but managing keys for less than 10 developers cannot be that hard. But at the end, it is more messy than I hoped, as people don't adopt PGP well. Or, people don't care about security much.

And looking at my own keyrings - I have not signed many keys since I started using PGP in late 90's. Why? Because all my friends that I have physical contacts simply do not bother with cryptography. Well, I do have lots of non-geek friends, you know...

I would love to have PGP signed comments on my weblog! But I am afraid that it would also mean the end of commenting.