>Σvolver Systems

This is part two of an effort to design a workable system to allow people to sign comments they make online.  Previously, I covered the rationale, and now I will outline a possible solution.

There are four things you need to allow a system of digital signatures to work:

1. A method of generating and signing digital certificates that is trusted by the government, giving the resulting signatures some amount of legal recognition.
2. A method of distributing the public certificates to allow for verification.
3. A hassle-free way to sign comments on the web.
4. A hassle-free way to verify signatures on the web.

Step 1. Producing the certificates

A digital certificate binds together an identity (composed of a name, email address, physical address, etc) and a public key.  It is signed by a Certificate Authority (CA), who acts as a trusted third party, much like a witness signing a physical document.

In a perfect world, we could generate these digital certificates centrally, and distribute them to everyone by email.  However, when you generate a public key for a certificate you also must generate a private key.   The secrecy of the private key is the foundation of the security of the system, and must never be shared with anyone.   It would be like teaching someone to forge your signature.   Sending such a private key by any means makes the system much less secure.

The way to get around this problem is to have each person generate their own public/private key pair, and produce a Certificate Signing Request, which is sent to the CA, signed, and returned.  During this process the private key is never exchanged.

The most common tool out there that can do this for you is OpenSSL, but it’s a Unix-based command line tool, and as such it is unsuitable for humans.  It turns out that Netscape-compatible browsers (Firefox, Opera, Safari, and apparently Chrome – essentially everything except IE) and the HTML5 specification include a keygen element that is designed to do exactly what we need.  That makes our job easier!

Still, you need to somehow prove your identity in the first place to get your certificate signed.   My initial idea is to do this through physical shopfronts at Australia Post branches, Road Transport Authorites and the like, who are already set up to deal with ‘show me 100 points of identity’ type situations.   You would be issued a one-time access code on paper, which you take home and use to submit your request on the website set up to sign the certificates.  Voila!  You now have a digital certificate, which the government is satisfied is held by you and only you.  If anyone can think of an easier way of doing this, please let me know.

Step 2. Making the certificates available to everyone

This bit is easy.  Once the CA server has signed your certificate, it is automatically published on a Key Server, which may or may not be the same machine as the CA.  The certificates are then available to anyone.   To combat privacy concerns, it would be wise to limit the amount of information present in the certificates to just name and (for purposes of political comment) postcode.   We might even be able to get away without an email address.   If the certificate included the owner’s year of birth, it could potentially be used as a proof of age for restricted websites, but that would seem to introduce more problems than it solves.

Step 3.  Signing comments effortlessly

The only way this sort of system will ever be used by more than a few dedicated crypto fans (like me) is to make it really easy to use.   For that, we’ll need a browser plugin that can sign a comment with one click.   Thanks to Mozilla’s pioneering of the plugin system, developing a few of these plugins for different browsers should be fairly simple.  Presumably, they would make the comment fields look something like this:

There’s a hitch, though.  Say Alice writes a blog post “I want action on climate change”, and you post and sign a comment that says “I agree with Alice.”  Fine so far.  Now Alice edits her blog post to say “I don’t believe in climate change”, and your comment is still there proclaiming your agreement.  Hmm.

To counter this, whenever you sign a comment, the text of the post you’re commenting on has to be included in the signing process, and it must be retrievable later on.  Along with the text of the post, you’re also going to want the text of any comments you’re responding to included as well.  This could potentially get messy, but thankfully none of this extra text needs to be visible most of the time, unless you want to verify the comment.

Step 4. Knowing if a signature is valid or not

What should be visible is an indication of whether the blog post has changed since each comment was posted, and if so, there should be the ability to see the text of the post saved within the signed comment. Something like this:

And that’s about it. There are additional details to work out, such as how to respond to revoked certificates, but in the main I think this system should work.

In my last post I covered the implications verifiable identity would have for online petitions.  The government seems to (soon) be happy to accept a name, address, and email as a ‘signature’ on an online petition, if that petition is hosted on their own website.  This seems reasonable, as petitions are really more about rough bulk numbers than individual signers.  What a more stringent system like the one I’ve described buys you is the ability to prepare a petition anywhere, and submit it in the knowledge that every signature on it is verifiable by the government.  (Consider the text of the petition to be the blog post, munged into every signature.)  For petitions alone this might be overkill, but it also allows the signing of political comment and indeed any type of comment, such as the professional opinion of a doctor, lawyer, or engineer.

There are plenty of jurisdictions worldwide, such as the EU and California, that have accepted the inevitability of digital signatures and included them in new legislation.  Given that more and more of our communication is moving online, we need to come up with solutions to the problems we’re causing ourselves.

With the rise of social media has come an unprecedented tool for collaboration and the spreading of political awareness. It is easier than ever to reach out to like-minded people and mobilise them to support a common cause.

Unfortunately the technically savvy are being disadvantaged by lagging legislation.

A powerful method of convincing the government that an issue needs attention is to put together a petition and gather signatures. It effectively conveys to those in power that a significant number of people care enough about the issue to put their name to it. This works very effectively for local issues, where the likely supporters of the petition are geographically close, and can be found by doorknocking and setting up desks at local meeting places.

But what happens when you’re geographically dispersed, but connected through Facebook, Twitter, or YouTube? What if your meeting place is online? You’re out of luck.

Current standing orders for the Senate and House of Representatives state that for a petition to be submitted, “each signature must be made by the person signing in his or her own handwriting”. Online petitions can’t be tabled in the Senate, or submitted in the House. The State Governments of Queensland and Tasmania accept online petitions, but the other states do not. They host their own petition websites, and require people to provide their name, address and email to sign a petition.

The Federal House Standing Committee on Petitions considered the issue last year. On 16 Nov 2009 the Chair of the committee, Julia Irwin, presented the committee’s report on Electronic Petitioning to the House of Representatives.

The report calls for the House to accept electronic petitions and asks that the House make the necessary changes to Standing Orders to allow this to occur. The committee regards electronic petitions as an addition to and not a replacement for our current system of paper petitions. It also recommends that the House provide, under its own administration, a website for electronic petitions where they can be posted, signed and published.
If put into practice, this will be a major step forward for the relationship between the House and Australians. It is clear from the findings of the committee that electronic petitions offer a powerful tool which can be used by parliaments to encourage people to participate more meaningfully in our system of government.

I couldn’t agree more, though I hope the website mentioned will not be the only method of submitting electronic petitions.

As of 24 June 2010, “The government response is being considered and will be tabled in due course”.

So progress is being made. Maybe.

The kind of electronic petitions being talked about, following the same model as Queensland and Tasmania, are government-hosted websites. Which are fine, as far as they go. They don’t provide any kind of assurance that the signatures aren’t fabricated, and anyone whose signature turns up on the petition can easily deny that they signed it. This isn’t really a problem when we’re just talking about petitions, but there are a lot of other circumstances when you may want to sign something online and be sure that no-one can forge it.

Early this year, a new Bill came into effect in South Australia that made it illegal to post political comment online during an election campaign without including your name and address. It wasn’t popular, and was quickly repealed.

I am a firm believer that the internet should be as open as possible, and censoring anonymous political comment runs entirely counter to that principle. That being said, there is a place for proving your identity online, and current comment fields do not really allow that. I want to be able to put my name to my input if I so choose, in such a way that others have good reason to believe it’s from me. It’s easy enough to include your name and address in the comment, but this is unwise from a privacy perspective, and trivial to forge. It’s not an electronic signature.

An electronic signature is any legally recognised way of indicating that someone wants to sign an electronic message. They are usually implemented with digital signatures, which are part of Public Key Cryptography. A digital signature is a cryptographic technique for generating a block of data that can only be produced by the holder of a private cryptographic key, and only if the associated message was then as it is now.

So – how can you sign a comment with a digital signature?

You may have seen comments in forums that look something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a message that I have signed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMZrJsAAoJELr8cbrLQnATKjEH/jkcXufBv8yVw0PA/yszIbkG
OIO/k4s2Q+jGNXJIYwp+aD95lxG4Y4CiXCCMjUP33GvdBOZG6JqB/ZrrdADbsfxx
7cSfhTdY8d2v6do0umGoRpkAXjFd5wfJQOJDBkSGwnyC7LVkV869Mv4AXvxR/gU3
dQocBVJSwBSCHup1RtpdQBkgvVcNBjrPv9IT9Hw0p04NszZV266nP1u7JEJ85Tqd
2ukIuRCOzcd+TZGejh+R1t1KK9e205aCF7kYwA1zxIsMEYHEGx//rh2T0tEDjpYB
s6G7n6ZRfwEddm1YZG3Aaari1rXrB3FmMQYwS978MFjOB/i8iKp7M/MNAOo5WDs=
=S8GD
-----END PGP SIGNATURE-----


This is a properly signed message using Pretty Good Privacy (yes, really), the accepted benchmark for signing messages, but it’s not very usable. In order to verify the signature, you would need to go find my public key from wherever I’d published it, and run them both through a PGP application to see if it’s genuine.

There are features or extensions available for most email clients to do exactly that when the message is an email. In Thunderbird, it looks like this.

Used properly, PGP makes email about as secure as possible without special hardware. But we’re not talking about email, we’re talking about online comments. The website owner can manpulate the site however they like, so it’s no good to rely on the web page to tell you the message is genuine. You have to be able to verify the signature yourself. That means there has to be a key server somewhere that allows everyone to check anyone’s public key. Such a server would allow a browser plugin, running on anyone’s machine, to indepedently verify the signature on a signed comment. So we need a key server, we need a bunch of keys, and we need an application that will verify the comments.

Next time I’ll talk about how the pieces fit together.