Ever dropped a comment on a site and wished you could go back and fix that typo, or maybe the next morning you regret the use of the 'bollocks', either way what you want is editable comments, which Bulu, the software that runs this site, now supports.

Here's the basic description of how it work. Once you post a comment, that comment gets a unique ID. I take that ID and concatenate it with a secret string secret that only I know, then get an MD5 hash of the string ID+secret. The cgi script that accepts your initial comment returns to you a URL that's of the form:

http://bitworking.org/news/comments/1-3/e0fd9772343dde302f7d709a45856fa8b

Where '1-3' is the ID of the comment and 'e0fd9772343dde302f7d709a45856fa8b' is the md5 hash. When you visit that URL Bulu gets an md5 hash of the ID+secret, and if that calculated md5 matches the one in the URL then you are allowed to edit the comment. Now you can bookmark this URL, and use this URL to edit the comment, and as long as you keep the URL a secret, no one else can edit your comment.

It's actually pretty simple once you give up on the idea of registration. You see, registration is really asking for more information than is necessary. All I want to know is that if you try to edit a comment, you were the person that created that comment to begin with. With registration, the server knows all the comments you have ever left.

How secure is it? Well, the URL is travelling over the web in plaintext, and all you need is the URL to edit any comment, so I wouldn't use this to secure the commenting system on anything real important. However, this is just a weblog, so I believe that the level of security provided is appropriate for the context.

Once I have this tested for a few more days I will make another release of Bulu.

IMHO, there's a better way... Have you every thought about how SSH works? You have a public key that you distribute and a private key that you retain... Suppose you could sign every post. And your public key could be in a foaf profile so that it could be verified. You would never need to register. You would not need to retain comment identifiers. You could modify your own comments from any machine where you had access to your key.

Posted by Sam Ruby on 2003-05-11

do you show the edit history? As a reader, that reassures me.

Posted by Anita Rowland on 2003-05-11

Sam, I don't think there is anything that precludes both types of systems from being deployed. From the pragmatic sense, I was looking for a low pain solution. 'Registering' with a site is at a much lower pain threshhold than deploying a FOAF file and managing a pair of keys. If you have a proposal, I will implement it. Phil, I am being real conserative for now on what is on the edit page, for security reason. If I had a 'preview' then you could click on that link and end up dropping your 'secret' URL into someone elses referrer logs. Anita, right now I do not keep the edit history, though it sounds like a good enhancement to the system.

Posted by Joe on 2003-05-11