TypeKey from a different angle

I’ve been poking at the idea of TypeKey, and not much liking it, from the comment registration angle. I saw it as an answer to people begging for comment registration as though that would somehow make trolls go away, or stop spam or crapfloods, which it certainly won’t: trolls and spammers and crapflooders are much more motivated, and thus much more willing to register with a throwaway address, than the sort of casual commenter who knows the answer your post was pleading for, and wouldn’t mind giving it to you if it’s not too much trouble.

Now, I’m not so sure that’s the right angle to take. If instead of seeing TypeKey as a slightly more tolerable (because you only have to lie about your email address once instead of many times) way to implement registration, you look at it as way to implement comment moderation, it begins to look a tad bit better.

My comments are mostly in three groups:

  1. People like Jacques tweaking me for missing something obvious, or Dave misunderstanding me and ripping me a new one, or Shannon whispering sweet nothings (back before I pissed her off): people I know, and trust to say anything they want with any links they want, whether I’ll like it or not.
  2. People I haven’t met before, who may want to say something interesting, or link to something I’ve missed, or may want to link to their sugar-pill store or sell some annoying ringtones. Sometimes I want to include what they say in my page, sometimes I don’t. I don’t really mind their text, for a while, either way, but there’s always the chance I’ll really strongly object to their links.
  3. People I know I never want to hear from again: since I don’t write about controversial things of general interest very often, these are mostly the people who’ve proven that they only want to sell sugar-pills, though if I did write about politics, say, and had the same person leaving a stupid and insulting (as opposed to smart and contrary, which I don’t mind) comment on every single post, I’d include them in the never want to hear from again class.

I want the first class to post whatever they want, whenever they want, with any HTML they want. I want the second class to post, but I might not want to let them use HTML, or link from their name, until I’ve looked at what they have to say, and if their noise got to be too much I might even want to hide them like a Slashdot comment below the normal browsing level, so that they were visible, but only with an effort. The third class? They can find their own place to talk, there’s plenty of places other than here.

Depending on how it’s implemented, TypeKey plus MT 3.0 might actually let me do that: since it’s going to be possible to blacklist a TypeKey identity, it ought to be possible to instead whitelist the ones I know, and dump everyone else into moderation. Then, if I can get at moderated comments, I ought to be able to either display them as a placeholder, possibly linked to a hidden <div> with the comment, for the curious, or display them with HTML stripped until I’ve had a chance to look at them and see whether they are new friends or new unpersons.

Moderation is the only solution to comment spam that has ever struck me as at all useful, but I want a way around having things slow down when I can’t approve comments quickly enough. To a certain extent, I don’t mind not letting people chat amongst themselves while I’m not around: I don’t mind quite a lot of conversation and tangents in my comments, but I also see (and participate in, I’m ashamed to admit) a lot of comment threads that are the weblog equivalent of going to someone’s house, pulling their other guest off into a corner to talk, and completely ignoring the host. If comment moderation slowed things down a little bit when the permanent floating Syndication War argument stops by one of my posts, that might not be the end of the world.

Seen as a solution on its own, TypeKey seems pretty clueless: most spammers will have dozens of domains, hundreds of disposable email addresses, and virtually unlimited IP addresses, and no compunction about signing up for any number of TypeKey identities. But seen as a way to separate the wheat from the chaff, and let the people you’ve met at least once before through, rather than a way to separate the chaff from the wheat, and stop the unknown bad strangers without stopping the unknown good strangers, it might just work. Telling Jacques from a stranger, even one claiming to be him, is easy: check the PGP signature. But until everyone realizes how useful PGP can be for them (and people stop writing things like the Textile filter and the Movable Type import/export format that try to eat PGP signatures), maybe some other form of authentication, like TypeKey, is worth trying.

Now I just have to figure out how to do it in a way that won’t stop Shell from commenting: her comments may not be all that frequent, but I’m not willing to give up even one of them. Hmm. Maybe Gary Lawrence Murphy’s idea of hundreds of competing authentication servers: I’ll blanket whitelist anyone from auth.burningbird.net, since a friend of yours is a friend of mine.

42 Comments

Comment by Roger Benningfield #
2004-03-25 03:48:40

Phil: ”I also see (and participate in, I’m ashamed to admit) a lot of comment threads that are the weblog equivalent of going to someone’s house, pulling their other guest off into a corner to talk, and completely ignoring the host.”

That’s a sensitivity with many bloggers that I will never understand. It’s just completely alien to me. I think it comes down to something I said in Shelley’s comments… some folks believe comment tools should serve the user, and I believe they should serve the conversation.

 
Comment by Jacques Distler #
2004-03-25 06:25:54

If you want to whitelist me, you needn’t rely on my having registered with TypeKey. You could just whitelist any comment signed with keyID 7A587237.

Similarly, if Shelley continues to have moral, philosophical, or olfactory objections to TypeKey, she could start PGP-signing her comments, and you could whitelist her key.

You could even automate the process: anytime you approve a PGP-signed comment, the corresponding key could be added to your whitelist.

The advantages are many (in particular, it’s much more resistant to identity-theft than any TypeKey-like service) and, most importantly, you’re not relying on a third party for authentication services. It’s all between you and the commenter.

Of course, you’d have to get Crypt::OpenPGP running on your server, and people like Shelley would have to decide to start signing their comments. But, in the long-run, everbody would come out ahead.

P.S.: The trouble with Textile was a short-lived glitch: we needed to strip out the PGP signature before running the comment through the text-filter(s). I’d be happy to share the patch with you, though I have a feeling that a new version of Srijith’s plugin is on the way…

Comment by Phil Ringnalda #
2004-03-25 09:18:00

Do I actually have to suffer the slings and arrows of Crypt::OpenPGP? There seem to be several nice wrappers for both GPG and PGP on CPAN, and mine host seems to have installed both of those for me already. It’s not as pure as using Ben’s Pure Perl, but it’s also a bit less painful.

The Textile/import I just threw in to get it out of my head, because otherwise I’ll be tempted to write about how over-re-use of simple markers like five dashes is an indication that we should be using XML rather than plain text for import/export and XHTML rather than a reinvention in text because it may not be all that easy to always get it right, but at least we all know what starts markup, and I don’t much feel like writing that. So instead I gave it a sideways glance, and Srijith already emailed me about the Textile fix, and now I’ve pretty much written it.

What was I saying, again? Oh. Yes, I’d much prefer whitelisting based on PGP signatures. Ken MacLeod started only accepting comments with a link to a PGP-signed FOAF file back in February. He doesn’t seem to have gotten a single comment since, but I assume one day he will. Do you think you and Srijith can keep me commented in the style I’m accustomed to until someone else comes along and signs their comments?

It’s a much better authentication method, and it’s going to overcome my reluctance to verify server-side, but I’m afraid it’ll be a while before it can be our only authentication method. Like, until Windows ships with PGP. Scoble, are you listening?

Comment by Jacques Distler #
2004-03-25 11:55:40

Do I actually have to suffer the slings and arrows of Crypt::OpenPGP? There seem to be several nice wrappers for both GPG and PGP on CPAN, and mine host seems to have installed both of those for me already. It’s not as pure as using Ben’s Pure Perl, but it’s also a bit less painful.

Hey, man, whatever works!

I’m not one for purity. As long as you have something with a roughly equivalent API, you should be able to get server-side verification working with a modified version of Srijith’s plugin.

Do you think you and Srijith can keep me commented in the style I’m accustomed to until someone else comes along and signs their comments?

For you, Phil? Anything …

It’s a much better authentication method, and it’s going to overcome my reluctance to verify server-side, but I’m afraid it’ll be a while before it can be our only authentication method. Like, until Windows ships with PGP.

I hope we don’t have to wait that long. But, yeah, it’s an uphill battle.

 
Comment by Srijith #
2004-03-25 14:27:14

Do I actually have to suffer the slings and arrows of Crypt::OpenPGP?

Indeed, as Jacques mentioned, any wrapper with similar API should do the trick. I used Crypt::OpenPGP because it looked the cleanest dues to its pure Perl implementation. A couple of code changes should get any other wrapper working.

Oh. Yes, I’d much prefer whitelisting based on PGP signatures.

Whitelisting based on PGP signature has the inherent advantage that it is not centralised, does not make use of any credentials (other than the public key, which anyway is meant for sharing) saved on remote servers. The best thing is one does not have to re-invent any wheels in developing the authentication technology.

Adding PGP authentication based whitelisting into MT 3 should not be difficult task. Heck, it should be easy to add it into MT 2.661 even.

 
Comment by Jacques Distler #
2004-03-28 09:26:01

I looked at his setup, and the descriptions of PGP-signed FOAF files.

I could not see the what all that added complexity achieves.

  • It does not establish that the author of the comment is the owner of the FOAF file.
  • It does not establish the authenticity of the data in the FOAF file. (I can sign any collection of bogus crap.)
  • And even establishing the identity of the signer of the FOAF file falls back on the PGP Web-of-Trust, which is to say that it can’t be automated, and it can’t be done by the readers of the comment (not at all, in his set-up, and not easily in any variant I can think of).

There may be a role for PGP-signed FOAF files in the world (assuming, of course, that there’s a role for FOAF in the world), but authenticating blog comments isn’t it.

 
 
 
Comment by l.m. orchard #
2004-03-25 06:36:24

From the sounds of it, I’d be willing to bet that there’ll be at least one clone of TypeKey, if not half-a-dozen, likely within hours of the release of MT 3.0. I’m thinking of doing one myself. So… auth.decafbad.com, auth.philringnalda.com, auth.burningbird.net, and so on. If the code for recognizing multiple auth servers doesn’t ship with MT 3.0, I’d also bet that something Drupal-like will be hacked in right quick as well.

Maybe I’m too optimistic, but I’m fully expecting the LazyWeb to route around any of TypeKey’s rough edges.

 
Comment by Geof #
2004-03-25 06:51:19

Phil:

I can’t believe that, until now, I hadn’t thought about levels of trust in terms of what people post.

Not allowing untrusted users to use HTML? That seems fair.

 
Comment by Minerva Bowman #
2004-03-25 07:40:33

Most places charge, $18,

we charge just $3

You will never get cheaper viagra!

Order today

before offer expires

Delivered world wide!

Check this link to see all about and why is so cheap

Comment by Phil Ringnalda #
2004-03-25 09:27:34

Precisely. Ideally, I’d like to show you as just a litte something, maybe the comment subject even though people rarely change it, with your HTML-free comment in a hidden <div>, maybe even with a link to show it with HTML with a CGI that’s hidden away where no search engine crawler gets to go, but even with the whole comment showing I find you far less annoying than I would if you were linked, and I was wondering whether (or, rather, how many times) Googlebot had been by before I got you deleted. I’m going to see my sister’s new house this weekend, so I’ll be sporadically connected at best, and knowing that I would only have words to delete when I get back, not sticks and stones and links, would please me enormously.

 
 
Comment by Tomas #
2004-03-26 04:26:08

Nobody is forcing you to turn on moderation. You could juse use TypeKey as a way for people to not have to repeat their name, e-mail and url. But then again, then there would be nothing to whine and complain about…

Comment by Jacques Distler #
2004-03-26 06:00:12

You could juse use TypeKey as a way for people to not have to repeat their name, e-mail and url.

That’s what the RememberMe cookie is for.

Oh, wait! You mean someone who’s never commented on your blog before. Someone who wants to sign into TypeKey once, and then leave comments on a whole bunch of blogs he’s never commented on before. And who wants not to have to waste time retyping anything.

Yeah, that’s the ticket …

Comment by Phil Ringnalda #
2004-03-26 06:19:47

Hey, then you wouldn’t need to write any code to work around non-standard labels and names for the input fields! Er, I mean, you wouldn’t have to, um, figure out what they meant to type in them, that’s it…

 
 
Comment by Phil Ringnalda #
2004-04-18 17:44:24

And, er, actually someone is forcing me to turn on moderation: Jay Allen. He’s said he’s abandoning MT-Blacklist in favor of TypeKey, which means that either I use TypeKey and moderation, or I rewrite MT-Blacklist (either by cleanrooming it somehow, or by just saying ”screw his license, I’m distributing this anyway” because I’m not willing to leave all my friends who don’t code hanging).

 
 
Comment by Shelley #
2004-03-26 07:31:47

What you’re saying Phil is that commenters are guilty until proven innocent. You’ll allow people to register, but you’ll deny their application for registration until you know them, and trust them, in which case they’ll then be allowed to register at your site as part of the ’whitelist’ of accepted people — accepted based on whatever personal standards you decide to maintain.

Now ask yourself something: what message are you giving with this type of action?

The FOAF people went through something similar to this when deciding whether to allow relationship attributes into the vocabulary. They wisely withheld this, knowing that highlighting certain people as friends, and others just as someone known, but not classed as friends would cause a lot of unnecessary group identification, unwarranted trust, and hurt.

Why would I or any other person who believes that the best communication occurs within an open evironment, and between people who don’t always agree, want to comment within such a classed and constrained space? Might as well stick a button on the comment page saying:

”Are you a friend of Phil’s: Yes or No? If you answer ’Yes’, I’ll get back to you on whether I agree with you or not.”

As for PGP and ’whitelists’ — We’re mixing up authentication with approval, and list membership. Someone could be very authentic, but you don’t like or trust them. Would they then be ’whitelisted’ because they’re authentic?

What message are we sending out when we put ’authentic’ commenters in black or whitelists? And what is the problem you’re having with your comments now, and how will TypeKey solve this? Not, what new toy can you create based on TypeKey — what problem do you have, now, for which TypeKey is the only solution?

Comment by Jacques Distler #
2004-03-26 10:52:00

I’m sorry, Shelley. I think you completely misunderstand what is being talked about.

We are talking about Comment Moderation. Comments from ”white-listed” commenters are allowed to appear immediately. Comments from others are relegated to a Moderation Queue, for review by the blog owner.

(Phil has various variants on this:

  • ”Whitelisted” comments can use HTML and supply hyperlinks. Other comments have HTML and all URLs stripped.
  • ”Whitelisted” comments are visible, when posted. Others are hidden in some way.

The details don’t really matter much. What we’re addressing here is the authentication aspect of the whitelist.)

The question is: how do we decide that a given comment is from someone on our whitelist? The folks from SixApart have proposed that we use the commenter’s TypeKey credentials. I am suggesting that a better solution is to use the PGP signature on their comment.

I have explained elsewhere (I,II,III) why PGP signatures are a superior form of authentication.

  • We actually know that the commenter controls the web-site that they left as a URL.
  • Nobody’s personal information is stored on a 3rd party server.
  • There are no issues of server outages, cross-site scripting vulnerabilities, …

If you don’t want to sign your comments, and if you don’t want to register for TypeKey, your comments will just end up in Phil’s moderation queue. Is that so terrible?

You’re always welcome to comment at my blog, as I have no intention of turning on Comment Moderation (unless circumstances change, and force me to).

But I’d still recommend that you sign your comments on my blog, too… for your own protection, not mine.

Comment by Shelley #
2004-03-26 12:27:43

Sorry, Jacques, not used to threaded comments, and didn’t comment directly to your reply.

 
 
Comment by Phil Ringnalda #
2004-04-01 01:44:43

(I will be getting back to this, long after you and everyone else has forgotten about it. It’s just that now I’ve drafted a reply three times, let it sit for a bit to ripen and be sure it’s what I mean, and had it eaten by one browser crash and two OS crashes. It’s starting to make me a bit nervous, like maybe I’m completely wrong and my laptop knows it.)

 
Comment by Phil Ringnalda #
2004-04-05 00:20:11

Okay, no crashes for several days, so it’s probably safe to comment, despite the fact that everyone’s long since lost interest in this thread.

TypeKey isn’t a solution for me, it’s a tool to enable the solution of moderation.

While you were all having this very interesting conversation, keeping my weblog from become more boring than usual, I was driving 11 hours, spending a couple of days with my sister and brother-in-law in their new house, and then driving another 11 hours. I checked my email a couple of times, but didn’t spend any time online, and it was only thanks to a quick satellite installer that I could check it at all.

You are all my trusted friends, and you have my permission to say absolutely anything in my comments at any time. If I think you are wrong, or trolling, then I’ll rip you a new one (and then try to hand you a bandage, because we are friends), but I won’t stop you from saying the wrong thing, or the right thing in the wrong way.

However, there are plenty of people who are not my friends, who only want to leave a comment to sell more sugar pills. They do not have my permission to comment, at any time. In the usual course of things, I find out about their comments within ten minutes (if I’m awake), or worst case six hours (I really need to sleep more). That’s generally good enough to suit me: maybe a search engine bot or two will see them once, while I’m sleeping, and then see them gone next visit. I can tolerate that.

However, when I pretend for a few days that I still have the life I had Before Blogs (which I’m going to do again next weekend, with no connection at all), they get to stick around longer, leaving plenty of time for every search engine bot and every subscriber to my comment RSS feed to see them. Worse yet, true or not I really believe that the lesson from a former career, that nothing breeds graffiti and vandalism like leaving graffiti and vandalism for the next cretin to see, also applies to comment spam: leave spam long enough to be searched for, and you’re asking for more spam.

So while I’m honored to have people I have some reason to believe are people comment while I’m not around, I want a way to accept comments from strangers without actually showing them until I can look at them. I want comment moderation, but only for people I haven’t met yet. I know Roger thinks that weblog comments are discussion forums that only happen to be provided by the weblog owner, but I disagree: my comments are a conversation in my living room, and while I’m not about to be so childish as to say that you can’t talk to each other, only to me, I don’t in the least mind saying that when I need to leave the house, only people I know and trust are allowed to stick around.

I could do that by having registration that only works for my weblog, and probably somewhere between 1 and 5 percent of the people who would otherwise be able to comment while I’m gone would bother registering, or I could use TypeKey, and probably somewhere around 95 percent of them will register, since it gives them benefits beyond just the dubious honor of commenting here.

TypeKey goes down? You’ll have to wait for me to manually ”approve” your comment, a situation that’s slightly better than all the times when you want to comment and my site is taking a DreamHost ten minute break, since at least you can submit the comment and forget about it, rather than having to remember to come back (or not).

Comment by Roger Benningfield #
2004-04-05 05:16:48

Phil: ”I know Roger thinks that weblog comments are discussion forums that only happen to be provided by the weblog owner…”

Guilty as charged. However, that doesn’t mean I oppose the ”my living room” view of things. I just have some very specific ideas of what makes a ”good host”. And a ”good guest”, for that matter.

 
 
 
Comment by Shelley #
2004-03-26 12:26:13

No, Jacques, I did not miss the point on the use of moderation. (And thank you for not turning on TypeKey and comment registration).

As regards to moderation and TypeKey:

If a person’s comment doesn’t appear right away, then they know they are moderated. Their comment no appearing right away means they are prevented from joining a conversation in real time. No?

If a person is aware that the site has a ’white list’ of ’accepted’ or ’trusted’ people, then they realize that they are ’not accepted’ or ’not trusted’. If they’ve been by before, they might feel rejected by this classification. If they’re new, they might feel disinclined to add further comments because they can’t join realtime conversations.

For non-techs or people not familiar with the vagaries of the tool (and disinclined to read what will probably be a longish explanation), they might be confused why their entry doesn’t show up. Or frustrated when what they say is later said by another ’trusted’ commenter, and that person’s trusted comment was allowed through, while their own was held back waiting Phil’s approval for what could be a longish time, because Phil had a heavy date, or was off in the woods for two weeks — or both.

Now, if the only criteria that Phil needs, or yourself, not to be moderated was authentication, what will that do for your anonymous but valid commenters? People with good things to say, but staying anonmous? Those who don’t sign their comments, or provide a valid email address or who don’t ’authenticate’ from Big Daddy will end up moderated, which means they probably won’t comment after the first experience.

Even then, these uses of moderation seem to be based on spam prevention, but I have no doubts that moderation will be extended to lots of ’authenticated’ people by sites that frankly want to feel the power beneath their fingertips. In fact, I’d rather see out and out banning then something publicly viewable such as moderation. (”Hey, her comment was held for a day. She must be in the moderation queue.”)

(Ah, the new stigma — instead of a scarlet letter affixed to our breasts, a timestamp affixed to our comments.)

If Phil’s main interest is to only allow HTML from whitelist members, well, sounds like he’s in for some hacking, but at least he’s not keeping a person out of the conversation.

But hiding a person’s comment, or holding for a time — these are physical attributes attached to that person’s comments that may a quality statement about that person. And not all of them will be from comment spammers.

So, no, I think I understand whitelists and moderation.

Comment by Shelley #
2004-03-26 12:32:42

I understand whitelists and moderation — I just can’t spell worth a damn in tiny comment boxes.

Grrr.

 
Comment by Roger Benningfield #
2004-03-26 12:59:25

”If they’ve been by before, they might feel rejected by this classification.”

Shelley: Personally, I think anyone who tends toward feelings of rejection when they don’t receive instant gratification from others ain’t worth worrying about. The blogosphere is already overpopulated with touchy, hypersensitive souls looking for something with which to take offense… discouraging a couple of them from emerging before they’ve donned the emotional equivalent of Big Boy Pants is just doing the world a favor.

”I have no doubts that moderation will be extended to lots of ’authenticated’ people by sites that frankly want to feel the power beneath their fingertips.”

No doubt, and that’s unfortunate. The thing is, those dealing in heavy-handed moderation are philosophical cousins to those who are going to bristle at being moderated… when you boil it down, both groups think the discussion is All About Me.

”Validate me! Make me look good! Entertain me!” Feh.

Comment by Shelley #
2004-03-26 13:11:11

Roger, I don’t see this as a form of instant gratification. I see it as a person finding out that they’re not in a ’whitelist’ maintained by the owner, which means that the owner has made a value judgement about what they have to say, or how they say it. Is this about them? Well, sure, but no one likes to feel like they’re not part of the ’good’ people, or the conversation.

Anyone who makes a comment does so because he or she feels that they have something to contribute to the conversation. Is that egotistical of them? Well, then so is a blog — monsterously egotistical.

But I can emphathize how a person, especially one who hesitates to make a comment in the first place, will feel finding out that they’re being moderated, when others aren’t. Put yourself in their shoes — how would you feel?

Comment by Shelley #
2004-03-26 13:26:17

Case in point:

I have a good mix of people who comment at my weblog, and I cherish everyone. And I’ve had some great putdowns by talented people, and if it’s clever and not deliberately mean, well I can appreciate it.

Now, some of the people who have commented in my weblog in the past, have written me emails afterwards saying, ”I really hesitate to comment in weblogs sometimes because it seems like the regular audience will make fun of you, or I’m afraid of saying something stupid, or getting blasted. I felt comfortable enough with your weblog — but delete my comment if it’s stupid.”

There are no stupid comments by well meaning people.

I am immensely gratified when these people do make comments, because I feel that it means I have the best group of readers: people who read my weblog and think for themselves, don’t act as a ’group’, are open to other viewpoints, and that I have a diverse audience — diverse enough to make all people feel comfortable about commenting.

What happens in this environment if I start moderating? Or requiring authentication?

I won’t risk one of those comments for all the spam in the world. They are too important to me, each and everyone. A gift. That’s why I pushback at all of this so strongly — most people want more comments, not less. Most people want more diversity, not less.

Now, some sites because of the subject matter do get some pretty hateful people, and perhaps they’ll want some form of authentication to try and control this. And some of the A-Listers are targets just because they are A-Listers. But for most of us, we get along just fine, learning to deal with each other, even if we get pissy at times. Or we get rude. Or even if we get downright nasty because we’re in a bad mood, and you pushed my button.

We deal with each other individually, as circumstances warrant. None of us is perfect, and we all understand this, and use this when interpreting what we each say.

All I want is to keep out the automated spamming and an easy way to clean up obvious comment spam. And to prevent crapfloods. I have all of this now, thanks in part to Jacques and Phil and Jay Allan, which his nice comment clean up email function.

How did we end up, going from preventing comment spam, to centralized authentication and Ms. Manners in weblog comments? To not learning to work through individual differences, individually?

To letting technology deal with our social challenges?

 
Comment by Roger Benningfield #
2004-03-26 14:45:17

Shelley: ”I don’t see this as a form of instant gratification.”

I can’t speak for anyone else, but the kind of moderation I favor is very simple… if you’re registered, post away. If you’re not, you’ll have to wait until someone can check your content out. Assuming you’re not abusing the system, your post *will* be cleared.

It’s a very simple trade-off, really. You give me an identity, you get a conversational ”speed pass”. Opting to forego that trade-off may make sense for some folks, but complaining about the consequences of such a choice would be an act of childish petulance, IMO.

”…which means that the owner has made a value judgement about what they have to say, or how they say it.”

There will certainly be some who will use registration that way, and I’ll be right there with you in saying it’s a bad idea. But when I talk about this stuff, I’m not thinking in terms of value judgements… it’s simply a matter of ”you are a known entity” vs. ”I don’t know you yet”.

”…how would you feel?”

If the moderation process was simply a means of sorting knowns from unknowns? I wouldn’t care. If I wanted to be known, I could take the necessary steps.

If the moderation process was a tool for an egomaniacal, uptight, or otherwise hyper-controlling individual to vent his Inner Bowdler? I still wouldn’t care, in part because my skin is thick enough to withstand the disapproval of a random person with a blog. But more importantly, I would avoid engaging the moderator in the first place… he clearly wouldn’t be my kinda people.

 
 
 
Comment by Jacques Distler #
2004-03-26 13:43:26

If a person’s comment doesn’t appear right away, then they know they are moderated.

No, they know they are moderated because, after hitting the ”POST” button, they received a message which says something like, ”Thank you for your comment. It has been sent to Phil Ringnalda for review. It will appear on this web site, after he has approved it.”

what will that do for your anonymous but valid commenters? People with good things to say, but staying anonmous?

I don’t allow anonymous comments on my blog. Of course, nothing prevents you from entering bogus data into the ”Email” and ”URL” fields of my comment form. But, if someone’s going to enter bogus data into my comment form, I don’t see why they should feel aggrieved at having their comment moderated.

(Again, I don’t intend to turn on Comment Moderation, but I would feel no guilt at moderating a comment where the data entered was bogus.)

That said, let me emphasize the distinction between ”anonymous” and ”pseudonymous.” I have no problem with pseudonymous commenters, and there is no reason why someone cannot create a PGP key corresponding to their pseudonym.

What I haven’t yet worked out a satisfactory answer to is how to obtain the PGP key of someone with a (real, but possibly throwaway) email address, but no website. The obvious answer is to dispatch an email to that address, asking the recipient to visit a particular (secret) URL and upload their PGP Public key.

Even then, these uses of moderation seem to be based on spam prevention

Spammers, trolls, whatever. I don’t, currently, have any trouble with either. But, if I did, I think Moderation would be a perfectly-valid response. There are other things I’d try first (since there are many inconveniences and annoyances with Moderation, no matter how nicely implemented).

But I’ve no philosophical objection to Moderation. It’s my #$%@ website.

PGP-signing your comments protects the commenter too. It combats identity theft, and it prevents the blog-owner from editing the comment without being detected.

This comment is provably from me (the owner of Musings), and has provably not been altered by Phil.

Comment by Jacques Distler #
2004-03-29 23:51:30

The obvious answer is to dispatch an email to that address, asking the recipient to visit a particular (secret) URL and upload their PGP Public key.

Following BigLumber, one could do something slightly better.

For commenters who don’t have a web site, but wish to sign their comments:

  1. If the author of a PGP-signed comment leaves only an email address, attempt to download their key from the keyserver.
  2. If that succeeds, dispatch a message, encrypted to that key to the email address left by the commenter.
  3. The encrypted message contains a nonce, and instructions for the recipient to go to a certain URL, and type in their email address and this nonce.
  4. By going through this rigamarole, we confirm that the owner of the email address and the owner of the PGP key are the same person.
  5. Now we can store the key on our Keyring, and use it to verify this commenter’s comments.

On the other hand, since you thoughtfully refrain from displaying the commenter’s email address, there is little to be gained by the reader in definitively tying that (invisible) email address to the poster.

Moreover, even tying a comment definitively to some throway hotmail address does not do a lot for me, in terms of establishing the identity of the commenter.

 
 
 
Comment by Tim #
2004-04-01 00:06:22

A little off-topic, but I just spotted your comment re Gmail on Techdirt (http://www.techdirt.com/articles/20040331/170204_F.shtml). Exteremely funny. Why do you save so many of your gems for other sites?

Comment by Phil Ringnalda #
2004-04-01 01:41:33

Oh, there’s no non-sappy way to put it, but I really do think of blogging as an us thing, not a me thing. If we’re talking about Gmail, and Techdirt happens to trigger my need to say something (the Yahoo! Knows! Me! thing’s been festering for a while), then I’ll say it there.

In my more me-ish moments, I do wish someone would come up with the ultimate commenter-stalker system, since I have the same feeling when I run across an unexpected Stavros-comment, but mostly I just like to bob along on a sea of posts-n-comments, reading whatever comes along, writing whatever suits.

 
 
 
Trackback by Espresso #
2004-03-25 01:45:24

More TypeKey fun

Phil Ringnalda seems more interested in moderation than registration. (WordPress, anyone?)

 
Trackback by Preoccupations #
2004-03-25 02:36:48

TypeKey

Six Apart announces TypeKey and the reactions are sharply divided: BuzzMachine approves (but has questions, as does Dave Winer), Don Park is for it (’… as long as it is done right. A typical cause of failure for such schemes

 
Trackback by Musings #
2004-03-25 06:49:20

TypeKey

A discussion of Six Apart’s new, centralized Commenter Registration Service.

 
Trackback by Random Bytes #
2004-03-25 06:50:23

TypeKey from a different angle

Phil almost has it – the only way to look at Typekey is as a centralized authentication mechanism. MT will implement in such a way that it facilitates comment moderation. Typepad will probably do the same. But this doesn’t change what Typeke…

 
2004-03-25 07:06:44

More On Spamming

Let’s specifically address comment spam here for a moment, since that’s the topic du jour.

Phil Ringnalda presents another view on TypeKey. I tried to avoid any one solution in yammering about spamming the other day, but TypeKey clearly was o…

 
Trackback by Eric Longman #
2004-03-25 07:17:42

TypeKey: Passport for Weblogs?

After reading Ross’ comments on Phil’s comments about TypeKey…

 
Trackback by Pudding Time! #
2004-03-25 09:42:19

He’s a Friend of Ours

(or ”Damn it Feels Good to be a Gangsta: Web Nerd Edition”) kur05hin is moving to a ”sponsored user” system: The idea is this: someone…

 
2004-03-25 16:17:25

Phil’s TypeKey light bulb moment

He’s almost there……

 
Trackback by This Chick #
2004-04-09 19:19:23

My Thoughts

If you’re not interested in my thoughts on Movable Type 3.0 and/or TypeKey then don’t bother to continue reading….

 
Trackback by MovableBLOG #
2004-04-16 16:19:49

The Real Problem With TypeKey

The problem isn’t with the centralized nature of TypeKey or that Six Apart is somehow evil. Using weblog comment systems as a replacement for having your own weblog is the problem.

 
Trackback by SemErgence #
2004-04-17 11:03:22

A Trust Web Might Help

phil ringnalda dot com: TypeKey from a different angle Phil Ringnalda writes: Now, I’m not so sure that’s the right angle to take. If instead of seeing TypeKey as a slightly more tolerable (because you only have to lie about your email address once ins…

 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.