Editable Comments

Ever dropped a comment on a site and wished you could go back and fix that typo, or maybe the next morning you regret the use of the 'bollocks', either way what you want is editable comments, which Bulu, the software that runs this site, now supports.

Now some sites have solved this problem by having you log into the site to post a comment. It works, but when most people are presented with the option of 'registering' with a site, or not leaving a comment, the usually choose the latter. I do this myself all the time. Over the past year of surfing I have not registered with a single site to leave a comment. So what I wanted was a system where you could leave a comment, and return to edit it at any later time, yet not require registration.

Here's the basic description of how it work. Once you post a comment, that comment gets a unique ID. I take that ID and concatenate it with a secret string secret that only I know, then get an MD5 hash of the string ID+secret. The cgi script that accepts your initial comment returns to you a URL that's of the form:

http://bitworking.org/news/comments/1-3/e0fd9772343dde302f7d709a45856fa8b

Where '1-3' is the ID of the comment and 'e0fd9772343dde302f7d709a45856fa8b' is the md5 hash. When you visit that URL Bulu gets an md5 hash of the ID+secret, and if that calculated md5 matches the one in the URL then you are allowed to edit the comment. Now you can bookmark this URL, and use this URL to edit the comment, and as long as you keep the URL a secret, no one else can edit your comment.

It's actually pretty simple once you give up on the idea of registration. You see, registration is really asking for more information than is necessary. All I want to know is that if you try to edit a comment, you were the person that created that comment to begin with. With registration, the server knows all the comments you have ever left.

How secure is it? Well, the URL is travelling over the web in plaintext, and all you need is the URL to edit any comment, so I wouldn't use this to secure the commenting system on anything real important. However, this is just a weblog, so I believe that the level of security provided is appropriate for the context.

Once I have this tested for a few more days I will make another release of Bulu.

IMHO, there's a better way... Have you every thought about how SSH works? You have a public key that you distribute and a private key that you retain... Suppose you could sign every post. And your public key could be in a foaf profile so that it could be verified. You would never need to register. You would not need to retain comment identifiers. You could modify your own comments from any machine where you had access to your key.

Posted by Sam Ruby on 2003-05-11

do you show the edit history? As a reader, that reassures me.

Posted by Anita Rowland on 2003-05-11

Sam, I don't think there is anything that precludes both types of systems from being deployed. From the pragmatic sense, I was looking for a low pain solution. 'Registering' with a site is at a much lower pain threshhold than deploying a FOAF file and managing a pair of keys. If you have a proposal, I will implement it. Phil, I am being real conserative for now on what is on the edit page, for security reason. If I had a 'preview' then you could click on that link and end up dropping your 'secret' URL into someone elses referrer logs. Anita, right now I do not keep the edit history, though it sounds like a good enhancement to the system.

Posted by Joe on 2003-05-11

While for the most part I still agree with Sam that FOAF+PGP is the prettiest way, this system does have some advantages. I don't know of any good way to only present the editing interface (or the "edit this" link) to the person who will actually be able to use it. Also, since I'm not likely to bookmark every comment I leave, with widespread adoption I'd need to set up a private weblog, and just BlogThis on every returned URL, which would then give me a ready-made reminder of threads that I need to revisit. Or, it would, if the comment editing page had a link to the thread (both for revisiting, and because that's where I want to go after I post a comment, to see how it looks, especially if I don't get to preview). Ah, interesting that an edit changes the timestamp, so you can't secretly go back and think of things first, but on the other hand, fixing a typo in the middle of a strongly referential thread ("Sam: no, you had it right two comments bakc") will completely blow the threading.

Posted by Phil Ringnalda on 2003-05-12

Phil, The timestamp is updated, but when all the comments for a single post are viewed together then they are displayed in the order that they were made, not last updated. If you look the the comments page for the whole site[1], however, there the comments are listed by the time that they were last updated. [1] http://bitworking.org/comments.html

Posted by Joe on 2003-05-12

Posted via cURL.

Posted by Joe on 2003-05-13