How can I prove that I wrote a certain blog post?

Question

I would like to be able to prove that I wrote the article that resides at a given URL on someone else's blog. Is there a way that I can do this with public key cryptography? I know a bit about the topic and I am thinking that I could:

use my private key to generate a public key which I will display on my own website for reference
use my private key, seeded with the URL of the blog, to create a new public key for each new blog URL I write on
ask the reader to verify the authenticity of my work by somehow comparing the two public keys

Am I on the right track? It's the somehow I need help with.

score 7 · Answer 1 · edited May 23 '17 at 12:40

After the fact (and limiting the answer to viable technical solutions), there is probably no way to prove you wrote something. I will assume the content is yet to be published.

There are two parts to a reasonable "proof", the first being association of the content with a digital identity, i.e. signing the content so that it can be verified with a recognisable and easily available public key. The second (which may not be required, depending on how paranoid you are) is proving you created it first (i.e. to prove or disprove plagiarism). A digital signature provides integrity and authenticity (proof of sender). Proof of authorship (related to non-repudiation) is a more difficult problem to solve.

The simplest way then is with a public key solution, as you suggest: before you publish you get a trusted third party who provides a secure timestamping service to timestamp and sign a digest of your signed content. The timestamping service will use X.509 certs, you are free to use PGP or X.509 to sign your content here.

Your "provable" published data should be: the content (signed by you) and signature (if not inline), your public key or its location, the digest method, and the third party's timestamping signature (of the digest).

This question on signing code commits pretty much covers the technical details: https://stackoverflow.com/questions/11913228/how-can-i-use-rfc3161-trusted-timestamps-to-prove-the-age-of-commits-in-my-git

A possible problem here is how to represent your content in a canonical format so that others can verify the signature. You should consider signing the content in a format which can be downloaded "intact" and not subject to unintended reformatting or alteration by the server side blog software. Offering a PDF version of the article would be a solution, and you also have the option of using an X.509 signature and timestamp within the PDF itself (PDF).

If you're old-school, there is a free 21st century equivalent to posting yourself a copy by registered mail, which may or may not be useful, and probably has about as much legal weight (i.e. negligible): http://www.itconsult.co.uk/stamper.htm

There is now a similar question on Programmers.SE , one of the interesting answers involves using Bitcoin to make a sacrificial micro-payment to a non-existent address (your content hash value). Once your transaction gets onto the blockchain you have your "proof" (albeit with reduced timestamp resolution, it could take some tens of minutes).

It's possible to study the author writing style and verify, *with a certain level of confidence*, that the writing style of one author is the same that is found in some published article... — woliveirajr, Aug 26 '13 at 13:29
@woliveirajr, But that certain level of confidence by itself is semi-useless if it's a low number. — Pacerier, Jun 04 '14 at 17:26

Lucas Kauffman · Accepted Answer · 2013-08-26T11:11:36.250

6

What you can do is use PGP to sign your text (another article here). You will then need to publish your public key so people can verify that you have "written" this text. Note that there is no way they can actually verify that you have written the text (you, yourself could also just copy the text from somewhere and sign it, even though you have not written it).

make your public key available (preferably you give the key in person to everyone, in reality make it available on a page solely under your control)
sign your posts with your private PGP key and make it available in the blog post or on a personal website
If people want to verify that you have written this blogpost they take your public key and verify the post. If they succeed they know the post was signed with your private key. This means that the only person who could have encrypted the message, is the person who has the private key. Considering it is your private key (you never give this to anyone), they know it must have been you.

edited Aug 26 '13 at 11:11

answered Aug 26 '13 at 09:15

Lucas Kauffman

54,169
17
112
196

that sounds like what i am after. how would people verify this? ie what is the process of comparing the public key and the signed post? – mulllhausen Aug 26 '13 at 09:17
Added the process – Lucas Kauffman Aug 26 '13 at 09:22
excellent. i wasn't sure if the post could be decrypted with the public key alone. thanks! – mulllhausen Aug 26 '13 at 09:31
1

Note that it is not decryption, but signature verification. – Lucas Kauffman Aug 26 '13 at 11:13
true. thanks - that might help for future google searches – mulllhausen Aug 26 '13 at 13:22
You sign the text with you private key. Your signature can be verified with the public key. – Lucas Kauffman Aug 26 '13 at 15:30
Ok, it's someone else's blog. I replace the post with some text signed by mullhausen@4x.org. The public key for this is on the keyserver at mit.edu. How can you say that this mullhausen is different from the other mullhausen? – ott-- Aug 26 '13 at 20:26
Other mullhausen? – Lucas Kauffman Aug 26 '13 at 20:36
@ott do you mean a phishing attack? you can presume for the purposes of my question that i am famous enough that people know which website is my legitimate website (housing my public key). – mulllhausen Aug 28 '13 at 09:32
1

It actually doesn't prove you *wrote* it, rather it says something about your *approval* of that post (provided the private key isn't stolen, of cource :)). – peterph Oct 01 '13 at 09:44

score 3 · Answer 3 · answered Aug 26 '13 at 12:29

I think along with the who, the when is also important. This bring into play timestamps. These are a third party service and they sign a hash of the text and add a timestamp. This proves that the text was in existence before that instant of time. So even if there are copies, your copy was the first one (or not).

unlike gpg, timestamping services may not be free.

How can I prove that I wrote a certain blog post?

3 Answers3