Make Your Website Trusted Using Authenticable Testimonials
Authentication Protocol for Website Testimonials
This page presents the solution for properly providing website testimonial. It is well structured, free and an all-win scheme:
- Win for the website visitor as they can confirm the quality of the website, product and/or service which they are considering.
- Win for the website owner as the visitor can confirm the authenticity of the testimonials on their website.
- Win for the testimonial-giver as they receive a back-link to their website, thus increasing their traffic and search engine ranking.
How to Make Your Website Trusted with Testimonials Protocol
Suppose that an individual or organization which will be
attested, lets call them
A, has a website offering products and services.
Suppose that another individual or organization which will provide the
testimony, lets call them
T, has used the products/services of
A and wishes to
testify about them.
Typically
T will give
A the text of the testimonial and
A will simply post it on their website. The visitors to
the website of
A will see the testimonial but have little reason to trust it.
In order to make the testimonial authenticable
T has to make digital signature of the testimonial and provide it also to
A.
A publishes the testimonial and its signature on their website, as well as a link to the public key of
T found on
T's
website. The visitors to the website of
A then can use the signature of the testimonial and the public key to authenticate the testimonial, which can be
done automatically with 2 mouse clicks using the Authenticate-Testimonial.org service or manually using
Act On File or other capable software. In detail this procedure is as follows:
Create and Provide an Authenticable Testimonial - T (testifying) person actions
- T writes the testimonial as a file directly embeddable in a webpage, such as text, html, pdf, image, etc.
- T uses their own private signing key to sign the testimonial file using Act On File or other capable software.
- T provides the testimonial file and its signature to A, as well as the URLs of the public key and preferred landing page on their website.
Publish an Authenticable Testimonial - A (attested) person actions
- A embeds the testimonial file in the testimonials page on their website. The testimonial must be readable and download-able "AS IS".
- A places a download link of the signature of the testimonial suitably.
- A places a link to the T website landing page, where T has published its public authentication key.
- A optionally places an automatic authentication link to enable the visitors to automatically authenticate the testimonial with 2 mouse clicks.
Authenticate Authenticable Testimonial - visitor actions
Automatic Authentication
- Visitor clicks on the automatic authentication link.
- When transferred to Authenticate-Testimonial.org the visitor verifies that the automatically populated controls contain URLs as expected.
- Visitor clicks the "Authenticate Testimonial Now" button to authenticate the testimonial.
Manual Authentication
- Visitor downloads the embedded testimonial file and its signature from the A website.
- Visitor follows the link to the T website and downloads the public authentication key.
- Visitor uses Act On File or other capable software to authenticate the testimonial using the downloaded files.
Comments and Conclusion
This simple protocol allows the visitors of the attested website to verify that the posted testimonials are genuine. The testifier does not necessarily need to have a website.
It is sufficient for them to have authentic online presence where they can post their public authentication keys, for example: a blog, a Twitter or any other social media account
where they could make their public authentication key(s) available for downloading.
Testifying websites receive back links to them. The more prominent the attested website is, the higher PR back link the testifier gets, as well as more traffic coming from the attested
website. The protocol is not false testimonials proof. However, usually with not too much browsing the trustworthiness of a testifying website can become apparent, especially if it is a
well-established site. For genuine testifying websites new visitors coming from attested websites are especially valued as in fact they are genuinely interested in finding out about the
trustworthiness of the testifying website, and thus learn about it, and the services/products it provides.
Note: to generate public-private keys, digitally sign and authenticate files one can use the
Act On File al-in-one software suite.
Note: Authenticate-Testimonial.org has is currently down.
Authenticable Website Testimonials Best Practices
Best Practices for Website Visitors when Authenticating a Testimonial
- Use automatic authentication as it is simple, robust and fast. Be sure to verify that the auto-embedded URLs are as they should be.
- If in doubt, use the semi-automatic authentication using the URLs of the testimonial.
- If necessary, download the testimonial, its signature and the public key and use manual authentication.
Best Practices when Giving an Authenticable Testimonial
- Testimonial writing and content:
- Give accurate and meaningful information about the product and/or service. Sign (position & name) and date the testimonial.
- Display the name, web address and/or other identity information of the attested entity. This prevents the testimonial from stealing.
- Display the testifying website web address. This helps to establish the trustworthiness of the testifier.
- Display the name of the public key. Name the public key to allow finding it on the webpage for downloading of public keys.
- Display the hash code of the public key, and the hash algorithm that was used to produce it. This helps to prevent errors.
- Display the address of the webpage on the testifying website where are listed its public keys for download. Do not use links.
- Display the address of the public key on the testifier website. Do not use links.
- Display the settings/parameters used to produce the signature. Including when using the Act On File standard/default settings.
- HTML (text) files are most suitable for testimonials as they are easy to embed, can be formatted, and are index-able by the search engines.
- Avoid using links as they may be deceptive.
- Content of an example testimonial file:
This is an example of an authenticable testimonial. The purpose of this testimonial is to suggest an appropriate layout for testimonial files. Other layouts may be also suitable.
Notes:
- The top section in this layout design contains the testimonial message, date and signature. The reference data and the signature properties follow them.
- Using links in the testimonial message is fine, but links in the reference data is not recommended as links can be deceptive.
- Formatting the testimonial may be a good idea. However testimonials listed on the same page which are formatted differently may not be aesthetical.
- Since testimonial files are embedded in the webpage displaying them, it usually is a good idea to set the width and height of the container such that less important information is viewable via scrolling as in.
4-th April 2016
MBBSoftware
Attested:
Website:
example-art-gallery.com
Testifier:
Public keys page:
mbbsoftware.com/__public-keys/default.aspx
Public key name:
Example Art Gallery Key 1
Public key hash:
SHA1 = E7702064633FACEF0D207B8F9DBC3CF23B20E368
Public key:
mbbsoftware.com/__public-keys/example-art-gallery.com.example-art-gallery-1.public-key-auth-verify
Signature properties:
- Testimonial signing:
- Generate and use a new public-private key pair for each authenticable testimonial you sign and give. This allows you to revoke testimonials by removing the public key used to authenticate them from your website, without this affecting other testimonials. Note: use the same private key to sign a testimonial which has multiple versions, e.g. translations, as this is one and the same testimonial.
- Irrecoverably destroy the private key used to sign the testimonial immediately after signing it. This prevents from misusing the private key in the future. Use the Eraser module of Act On File to irreversibly destroy any file.
- Use the standard/default Act On File settings to produce the testimonial signature. This minimizes the possibility for errors.
- Publish the public key on your website:
- Place the public key in a folder dedicated for public keys. Keeping tidy server helps the site maintenance.
- Include the attested website domain name and the title of the testimonial in the filename of the public key. Helps for easier maintenance.
- The public key must always be available for download for as long as the authenticable testimonial which requires it is online.
- Add a landing webpage for visitors coming from attested websites, listing your public keys from which they can be downloaded.
- Do not change the URLs of the public keys and the page listing them as they are referenced by the testimonials and attested websites.
- An example testimonial public key URL might look like this: http://www.website.com/public-keys/www.website.com.key1.public-key-auth-verify.
Best Practices when Publishing an Authenticable Testimonial - FOR WEB DEVELOPERS
- Upload the testimonial file and its signature on the attested website.
- It is recommended to use a dedicated folder for the testimonials and their signatures.
- The following naming convention might be found helpful by some visitors and is recommended but not necessary:
- testimonial filename format:
[filename].[document type].[ext]
- signature filename format:
[filename].[document type].[ext].signature
where [document type] is the type of the document, e.g. testimonial, review, document, etc.
- Upload the testimonial on the website they testify for. Reminder: testimonials should contain the name and address of the attested website in order to prevent their unauthorized use by third parties on other websites.
- Publish the testimonial ready for both automatic and manual authentication.
- Provide explanations of how to authenticate testimonials automatically and manually.
- Be sure that all published authenticable testimonials can be authenticated.
- Always verify that newly published testimonials can be authenticated properly.
- Periodically verify that testimonials published on static pages are still authenticable (e.g. there is no missing file or other reason for testimonial authentication to fail).
- Use scripts to verify that testimonials published on active pages are authenticable before showing them to the visitor, and if not hide them and send an error message to the web master.
A simple but sufficient check is to verify that all related files are in place and their hashes match some expected values. Such measures will prevent from failures to authenticate testimonials due to
accidentally overwritten or moved/deleted files, and at the same time will notify the web master about the issue.
- Keep copies of the public keys for all testimonials. Should a testifying website lose the public key for the testimonial they gave you, e.g. due a server crash and lack of backup,
then you could provide them with your copy of the original public key, instead of asking them for a new testimonial and/or signature.
Machine translation: