![[tmbchr]™](/journal/popocculture-blog-logo.jpg){kind=logo}
How do I sign WordPress posts with PGP?
Does anybody know of a WP plugin for this, potentially?
I am interested in gaining greater control over the integrity of my data and how it is displayed and connected to me as a human being both legally and socially.
There are some more specific reasons but I will go into that elsewhere as it is a different topic.
Articles With Similar Themes:
Read In Sequence:
September 14th, 2007 at 6:12 pm
Connected to this article thematically:
- Discussion of Jesus, PGP, open-source, knowing the truth in your heart:
http://www.timboucher.com/journal/2007...hi-communist-education/#comment-84936
- What sparked a renewed interest in PGP and data-source integrity:
http://www.timboucher.com/journal/2007...09/14/parallel-baidu-google-searches/
September 14th, 2007 at 6:13 pm
I’m really into the Declaration of Independence lately, which I think also thematically connects.
September 14th, 2007 at 7:06 pm
Almost but not quite
http://www.maxpower.ca/wordpress-plugi...t-detecting-content-theft/2006/09/25/
September 14th, 2007 at 8:09 pm
Hey Tim,
I wasn’t able to find a plugin for WordPress, but couldn’t you accomplish this manually without too much hassle? I guess I’m not clear on what, exactly, you envision the WordPress plugin doing.
Here’s an example:
http://sadamclemson.blogspot.com/2006/03/signing-blog-posts.html
There’s a few challenges to work-around, however, like the effect of formatting and mark-up on the post - because the post you paste into the WordPress editor is not necessarily the post that gets rendered, or even the post that a visitor ends up with after trying to copy-paste from the page into whatever application they are using to verify your signature. It would almost seem to require some manner of server-side and client-side component to manage all that nastiness and ensure that what you actually wrote is getting passed without formatting.
Just some thoughts.
Hope you are well,
Alec
September 14th, 2007 at 8:12 pm
Hm, interesting place to start. Thanks!
I guess the thing I don’t quite understand is what makes a PGP signature a PGP signature, precisely. Like if I were just to include manually as a code snippet the BEGIN SIGNATURE and END SIGNATURE things at the beginning and end of every post, does that still constitute, technically a signature?
September 14th, 2007 at 9:43 pm
Right, first off I’m no digital security expert - I’ve only dabbled with PGP and a few other encryption mechanisms in the course of my work as a web developer. But, the way I understand it, a PGP signature acts like a “fingerprint” (technically referred to as a digest) of the information that’s being signed. This guarantees to a high degree of certainty that the information hasn’t been tampered with. The signature also includes information about the key used to sign the information, such that you can conclude (again, to a high degree of certainty) that the information came from a particular person. So, the signature is not a constant thing. It’s determined in part by the information that is being signed. If that information changes, the signature will change.
This is where things get a bit tricky in our situation. Let’s say you write a post and sign it with your private key. Someone else wants to verify that you wrote it and that it hasn’t been tampered with. Using PGP, your public key (which you could distribute through your site, for instance), and a copy of your post along with the signature they should be able to do this. But, if so much as a space, carriage return, any mark-up, etc. somehow got inserted into the post after you signed it, the verification on their end will fail because the information has changed.
It’s a very involved subject so I’d recommend you tinker around with a distribution of PGP and do a little reading to better understand concepts like public and private keys, signing, trust, etc. Wikipedia has a decent synopsis:
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
September 15th, 2007 at 1:46 am
Okay, so that is what I needed to know. That is why it has to be a WordPress plugin which dynamically hooks into it.
Yeah, but that is a strength. That’s what you would want! That is why it was designed that way.
Thanks for the tips though, that has already opened doors!
September 15th, 2007 at 3:41 am
lol, yeah I know! My point was merely that you’d have to devise a solution to make sure that the information being authenticated by the end-user is exactly the same as the information you signed. A system which relies upon the end-user to copy-paste a portion of your web page would probably give less-than-satisfactory results, because of the potential for extraneous mark-up getting copied along with it - information which was not in your original, signed post.
Shoot me an email if you’d like to discuss it more. PHP isn’t my element - most of my experience is with ASP.NET - so I probably wouldn’t be much use where actual implementation is concerned. But, I could probably lend a hand if you want to brainstorm.
You’re not in Seattle anymore, right? Where’d you end up? I think I read something about you and northern CA awhile back. If you’re still around that area we could get together for a chat about PGP and what-not. I’ll be in Marin County for a couple weeks come the end of this month.
September 15th, 2007 at 3:45 am
I’m still in Seattle. Having a “kegger.” I will invite you.
Would still like to continue this main conversation publically but I will probably blast you a separate email.
Other people who have ideas about this type of project and its implications and implementations, please continue discussing!