Bonchev Information Technologies and Systems
Software for organizations and people.
Make Your Website Trusted Hi guest
Sign up - Login
Learning Home Safe Online Communication Make Your Website Trusted How to Store Private Keys  

Make Your Website Trusted Using Authenticable Testimonials

Authentication Protocol for Website Testimonials

This page presents the solution for properly providing website testimonial. It is well structured, free and an all-win scheme:

How to Make Your Website Trusted with Testimonials Protocol

Suppose that an individual or organization which will be attested, lets call them A, has a website offering products and services. Suppose that another individual or organization which will provide the testimony, lets call them T, has used the products/services of A and wishes to testify about them.

Typically T will give A the text of the testimonial and A will simply post it on their website. The visitors to the website of A will see the testimonial but have little reason to trust it.

In order to make the testimonial authenticable T has to make digital signature of the testimonial and provide it also to A. A publishes the testimonial and its signature on their website, as well as a link to the public key of T found on T's website. The visitors to the website of A then can use the signature of the testimonial and the public key to authenticate the testimonial, which can be done automatically with 2 mouse clicks using the service or manually using Act On File or other capable software. In detail this procedure is as follows:

Create and Provide an Authenticable Testimonial - T (testifying) person actions

  1. T writes the testimonial as a file directly embeddable in a webpage, such as text, html, pdf, image, etc.
  2. T uses their own private signing key to sign the testimonial file using Act On File or other capable software.
  3. T provides the testimonial file and its signature to A, as well as the URLs of the public key and preferred landing page on their website.

Publish an Authenticable Testimonial - A (attested) person actions

  1. A embeds the testimonial file in the testimonials page on their website. The testimonial must be readable and download-able "AS IS".
  2. A places a download link of the signature of the testimonial suitably.
  3. A places a link to the T website landing page, where T has published its public authentication key.
  4. A optionally places an automatic authentication link to enable the visitors to automatically authenticate the testimonial with 2 mouse clicks.

Authenticate Authenticable Testimonial - visitor actions

Automatic Authentication

  1. Visitor clicks on the automatic authentication link.
  2. When transferred to the visitor verifies that the automatically populated controls contain URLs as expected.
  3. Visitor clicks the "Authenticate Testimonial Now" button to authenticate the testimonial.

Manual Authentication

  1. Visitor downloads the embedded testimonial file and its signature from the A website.
  2. Visitor follows the link to the T website and downloads the public authentication key.
  3. Visitor uses Act On File or other capable software to authenticate the testimonial using the downloaded files.

Comments and Conclusion

This simple protocol allows the visitors of the attested website to verify that the posted testimonials are genuine. The testifier does not necessarily need to have a website. It is sufficient for them to have authentic online presence where they can post their public authentication keys, for example: a blog, a Twitter or any other social media account where they could make their public authentication key(s) available for downloading.

Testifying websites receive back links to them. The more prominent the attested website is, the higher PR back link the testifier gets, as well as more traffic coming from the attested website. The protocol is not false testimonials proof. However, usually with not too much browsing the trustworthiness of a testifying website can become apparent, especially if it is a well-established site. For genuine testifying websites new visitors coming from attested websites are especially valued as in fact they are genuinely interested in finding out about the trustworthiness of the testifying website, and thus learn about it, and the services/products it provides.

Note: to generate public-private keys, digitally sign and authenticate files one can use the Act On File al-in-one software suite.

Note: has is currently down.

Authenticable Website Testimonials Best Practices

Best Practices for Website Visitors when Authenticating a Testimonial

  1. Use automatic authentication as it is simple, robust and fast. Be sure to verify that the auto-embedded URLs are as they should be.
  2. If in doubt, use the semi-automatic authentication using the URLs of the testimonial.
  3. If necessary, download the testimonial, its signature and the public key and use manual authentication.

Best Practices when Giving an Authenticable Testimonial

  1. Testimonial writing and content:
    1. Give accurate and meaningful information about the product and/or service. Sign (position & name) and date the testimonial.
    2. Display the name, web address and/or other identity information of the attested entity. This prevents the testimonial from stealing.
    3. Display the testifying website web address. This helps to establish the trustworthiness of the testifier.
    4. Display the name of the public key. Name the public key to allow finding it on the webpage for downloading of public keys.
    5. Display the hash code of the public key, and the hash algorithm that was used to produce it. This helps to prevent errors.
    6. Display the address of the webpage on the testifying website where are listed its public keys for download. Do not use links.
    7. Display the address of the public key on the testifier website. Do not use links.
    8. Display the settings/parameters used to produce the signature. Including when using the Act On File standard/default settings.
    9. HTML (text) files are most suitable for testimonials as they are easy to embed, can be formatted, and are index-able by the search engines.
    10. Avoid using links as they may be deceptive.
    11. Content of an example testimonial file:
      This is an example of an authenticable testimonial. The purpose of this testimonial is to suggest an appropriate layout for testimonial files. Other layouts may be also suitable.
      • The top section in this layout design contains the testimonial message, date and signature. The reference data and the signature properties follow them.
      • Using links in the testimonial message is fine, but links in the reference data is not recommended as links can be deceptive.
      • Formatting the testimonial may be a good idea. However testimonials listed on the same page which are formatted differently may not be aesthetical.
      • Since testimonial files are embedded in the webpage displaying them, it usually is a good idea to set the width and height of the container such that less important information is viewable via scrolling as in.
      4-th April 2016

      Example Art Gallery

      Public keys page:
      Public key name:
      Example Art Gallery Key 1
      Public key hash:
      SHA1 = E7702064633FACEF0D207B8F9DBC3CF23B20E368
      Public key:

      Signature properties:
      Byte order:
      Big endian

  2. Testimonial signing:
    1. Generate and use a new public-private key pair for each authenticable testimonial you sign and give. This allows you to revoke testimonials by removing the public key used to authenticate them from your website, without this affecting other testimonials. Note: use the same private key to sign a testimonial which has multiple versions, e.g. translations, as this is one and the same testimonial.
    2. Irrecoverably destroy the private key used to sign the testimonial immediately after signing it. This prevents from misusing the private key in the future. Use the Eraser module of Act On File to irreversibly destroy any file.
    3. Use the standard/default Act On File settings to produce the testimonial signature. This minimizes the possibility for errors.
  3. Publish the public key on your website:
    1. Place the public key in a folder dedicated for public keys. Keeping tidy server helps the site maintenance.
    2. Include the attested website domain name and the title of the testimonial in the filename of the public key. Helps for easier maintenance.
    3. The public key must always be available for download for as long as the authenticable testimonial which requires it is online.
    4. Add a landing webpage for visitors coming from attested websites, listing your public keys from which they can be downloaded.
    5. Do not change the URLs of the public keys and the page listing them as they are referenced by the testimonials and attested websites.
    6. An example testimonial public key URL might look like this:

Best Practices when Publishing an Authenticable Testimonial - FOR WEB DEVELOPERS

  1. Upload the testimonial file and its signature on the attested website.
    • It is recommended to use a dedicated folder for the testimonials and their signatures.
    • The following naming convention might be found helpful by some visitors and is recommended but not necessary:
      - testimonial filename format:
      [filename].[document type].[ext]
      - signature filename format:
      [filename].[document type].[ext].signature
      where [document type] is the type of the document, e.g. testimonial, review, document, etc.
    • Upload the testimonial on the website they testify for. Reminder: testimonials should contain the name and address of the attested website in order to prevent their unauthorized use by third parties on other websites.
  2. Publish the testimonial ready for both automatic and manual authentication.
    • Automatic Authentication - use and provide automatic authentication link to allow the visitors of your website to make a two click authentication of the testimonial. The website can authenticate testimonials automatically based on parameters provided through the web-request query string. The parameters provide information such as the URLs of the testimonial which will be authenticated and other required files, and properties. For avoidance of confusions and best user (visitor) experience all parameters are mandatory.

      Testimonial File Parameters

      The URL of the testimonial file on the attested website.
      The type of the hash used to produce hash code of the testimonial file in standard byte order. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
      The hash code of the testimonial file in standard byte order, expressed as a string of hexadecimal values, e.g. 446CE282BE959832BC36866F8E. The hash type and value parameters help to prevent errors due to accidental replacement of the testimonial file and other similar. Use Act On File or other capable software to generate hash code when building an automatic authentication link manually, or the Generate Automatic Link service to directly create links.

      Signature File Parameters

      The URL of the signature of the testimonial file on the attested website.
      Same as the testimonial_hash_type parameter but for the signature file.
      Same as the testimonial_hash_value parameter but for the signature file.

      Public Key Parameters

      The URL of the public key on the testifying website required to authenticate the testimonial.
      Same as the testimonial_hash_type parameter but for the public key file.
      Same as the testimonial_hash_value parameter but for the public key file.

      Authentication Process Parameters

      Hash algorithm used to create the signature. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
      Flags used to create the signature of the testimonial. PKCS1 is the only supported flag at the moment.
      Byte order used to create the signature of the testimonial. Available values are big_endian and little_endian.

      Administrative parameters

      The URL of the webpage on which is placed the automatic authentication link. The webpage must be the same domain as the testimonial. The webpage existence on the same domain and the automatic authentication link on it are used as a test for the legitimacy of the request.
      Email address to which to send error notifications if testimonials authentications fail or cannot be performed. In order to avoid misuse of this service the provided email address must be on the same domain as the testimonial.
      Selected language of the website when reached following the automatic authentication link. Currently available languages are Bulgarian and English. Recognized values are BG and EN.
      Note 1: In order to use automatic authentication all parameters must be provided.
      Note 2: Remember to URL-encode the values of all parameters.

    • Manual Authentication - provide the data necessary for the testimonial authentication.
      • Place download links for the testimonial, signature and public key files as full, readable URLs so that the visitor can use them for semi-automatic authentication, or download the files for manual authentication.
      • Place links pointing to the testifying website and their public keys listing webpage.
      • Provide the signature properties required for the testimonial authentication.
      • Provide links to the online service, and desktop authentication capable software e.g. Act On File or other.
  3. Provide explanations of how to authenticate testimonials automatically and manually.
  4. Be sure that all published authenticable testimonials can be authenticated.
    • Always verify that newly published testimonials can be authenticated properly.
    • Periodically verify that testimonials published on static pages are still authenticable (e.g. there is no missing file or other reason for testimonial authentication to fail).
    • Use scripts to verify that testimonials published on active pages are authenticable before showing them to the visitor, and if not hide them and send an error message to the web master. A simple but sufficient check is to verify that all related files are in place and their hashes match some expected values. Such measures will prevent from failures to authenticate testimonials due to accidentally overwritten or moved/deleted files, and at the same time will notify the web master about the issue.
  5. Keep copies of the public keys for all testimonials. Should a testifying website lose the public key for the testimonial they gave you, e.g. due a server crash and lack of backup, then you could provide them with your copy of the original public key, instead of asking them for a new testimonial and/or signature.
Go Back to Learning
Community Content
(To enter your comments you must be signed in. Log in or create FREE account.)
Be the first to comment.
The ELIAS Project
Fine Art App
Information Presenter
Act On File
Audio Control
Photo Window
Information Presenter
for Museums and Art galleries
for Schools and Universities
for Resorts, Hotels and Cruises
for Parks of any kind
for Corporations
for any business
Encryption and Authentication
Safe Online Communication
Website Testimonials
Learn how to store private keys
Make The Most From Your Files
Convenient Volume Control
Photo Window - an Awesome Gift
My Account
FAQ - Forum
Email this page
Bonchev IT
Public Authentication Key
Public Encryption Key

© Copyright 2024 Bonchev Information Technologies. All Rights Reserved.
Machine translation:

Email this page
use semicolon to separate emails eg:;
a link to this page will be automatically added to your message
Please type the anti-bot text below.
Type text:
Thank you for subscribing to the MBBSoftware newsletter.
Enter your email address:
Please type the anti-bot text below.
Type text: