My implementation of a message authentication scheme for blog and Internet forum posts is designed to utilize the existing PGP key server infrastructure. The first proof-of-concept code embedded the EC key used by blogsig in the ‘Comments’ field of a PGP key. This was functional but far from sensible given the other options available.
The OpenPGP key format was designed with adaptability in mind. A feature which is commonly used to embed an image of the individual within the public key (likely inspired by the popular use of the X-Face header to embed an image of a user within newsgroup and email posts in the 90s) is also suitable for our purposes.
RFC4880 describes the “User Attribute Packet” and its primary use. It also states that packet type ‘1’ is a JPEG image, whilst types 100-110 are reserved for private or experimental use.
The next task I have at hand is to confirm that the key servers will not strip packets of an unknown type from a key. If this test is successful, I will use a packet type that does not conflict with any existing projects to denote a blogsig EC public key and this will become the standard means of embedding a blogsig public key within a PGP key.
Using the PGP key servers makes a lot of sense as we don’t need to setup our own infrastructure for blogsig. The primary identifier given in every blogsig signature line appended to posts is the PGP key ID. We’ll see how this concept works out. A full specification and example code will be published once all the details have been fully tested and hashed out.
We expect browser plugins to make the entire blogsig process transparent. I’ve gone to great pains to ensure that the blogsig itself does not exceed 80 characters (one standard line) in the worst case scenario in order to make something that is usable and uninstrusive on Internet forums. Depending on the blog’s policies the signature could even be hidden in an <a> tag.