This is part two of an effort to design a workable system to allow people to sign comments they make online. Previously, I covered the rationale, and now I will outline a possible solution.
There are four things you need to allow a system of digital signatures to work:
- A method of generating and signing digital certificates that is trusted by the government, giving the resulting signatures some amount of legal recognition.
- A method of distributing the public certificates to allow for verification.
- A hassle-free way to sign comments on the web.
- A hassle-free way to verify signatures on the web.
Step 1. Producing the certificates
A digital certificate binds together an identity (composed of a name, email address, physical address, etc) and a public key. It is signed by a Certificate Authority (CA), who acts as a trusted third party, much like a witness signing a physical document.
In a perfect world, we could generate these digital certificates centrally, and distribute them to everyone by email. However, when you generate a public key for a certificate you also must generate a private key. The secrecy of the private key is the foundation of the security of the system, and must never be shared with anyone. It would be like teaching someone to forge your signature. Sending such a private key by any means makes the system much less secure.
The way to get around this problem is to have each person generate their own public/private key pair, and produce a Certificate Signing Request, which is sent to the CA, signed, and returned. During this process the private key is never exchanged.
The most common tool out there that can do this for you is OpenSSL, but it’s a Unix-based command line tool, and as such it is unsuitable for humans. It turns out that Netscape-compatible browsers (Firefox, Opera, Safari, and apparently Chrome – essentially everything except IE) and the HTML5 specification include a keygen element that is designed to do exactly what we need. That makes our job easier!
Still, you need to somehow prove your identity in the first place to get your certificate signed. My initial idea is to do this through physical shopfronts at Australia Post branches, Road Transport Authorites and the like, who are already set up to deal with ‘show me 100 points of identity’ type situations. You would be issued a one-time access code on paper, which you take home and use to submit your request on the website set up to sign the certificates. Voila! You now have a digital certificate, which the government is satisfied is held by you and only you. If anyone can think of an easier way of doing this, please let me know.
Step 2. Making the certificates available to everyone
This bit is easy. Once the CA server has signed your certificate, it is automatically published on a Key Server, which may or may not be the same machine as the CA. The certificates are then available to anyone. To combat privacy concerns, it would be wise to limit the amount of information present in the certificates to just name and (for purposes of political comment) postcode. We might even be able to get away without an email address. If the certificate included the owner’s year of birth, it could potentially be used as a proof of age for restricted websites, but that would seem to introduce more problems than it solves.
Step 3. Signing comments effortlessly
The only way this sort of system will ever be used by more than a few dedicated crypto fans (like me) is to make it really easy to use. For that, we’ll need a browser plugin that can sign a comment with one click. Thanks to Mozilla’s pioneering of the plugin system, developing a few of these plugins for different browsers should be fairly simple. Presumably, they would make the comment fields look something like this:
There’s a hitch, though. Say Alice writes a blog post “I want action on climate change”, and you post and sign a comment that says “I agree with Alice.” Fine so far. Now Alice edits her blog post to say “I don’t believe in climate change”, and your comment is still there proclaiming your agreement. Hmm.
To counter this, whenever you sign a comment, the text of the post you’re commenting on has to be included in the signing process, and it must be retrievable later on. Along with the text of the post, you’re also going to want the text of any comments you’re responding to included as well. This could potentially get messy, but thankfully none of this extra text needs to be visible most of the time, unless you want to verify the comment.
Step 4. Knowing if a signature is valid or not
What should be visible is an indication of whether the blog post has changed since each comment was posted, and if so, there should be the ability to see the text of the post saved within the signed comment. Something like this:
And that’s about it. There are additional details to work out, such as how to respond to revoked certificates, but in the main I think this system should work.
In my last post I covered the implications verifiable identity would have for online petitions. The government seems to (soon) be happy to accept a name, address, and email as a ‘signature’ on an online petition, if that petition is hosted on their own website. This seems reasonable, as petitions are really more about rough bulk numbers than individual signers. What a more stringent system like the one I’ve described buys you is the ability to prepare a petition anywhere, and submit it in the knowledge that every signature on it is verifiable by the government. (Consider the text of the petition to be the blog post, munged into every signature.) For petitions alone this might be overkill, but it also allows the signing of political comment and indeed any type of comment, such as the professional opinion of a doctor, lawyer, or engineer.
There are plenty of jurisdictions worldwide, such as the EU and California, that have accepted the inevitability of digital signatures and included them in new legislation. Given that more and more of our communication is moving online, we need to come up with solutions to the problems we’re causing ourselves.