Authenticate Testimonial
Machine translation:

Authenticable Website Testimonials Best Practices

Best Practices for Website Visitors when Authenticating a Testimonial

  1. Use automatic authentication as it is simple, robust and fast. Be sure to verify that the auto-embedded URLs are as they should be.
  2. If in doubt, use the semi-automatic authentication using the URLs of the testimonial.
  3. If necessary, download the testimonial, its signature and the public key and use manual authentication.

Best Practices when Giving an Authenticable Testimonial

  1. Testimonial writing and content:
    1. Give accurate and meaningful information about the product and/or service. Sign (position & name) and date the testimonial.
    2. Display the name, web address and/or other identity information of the attested entity. This prevents the testimonial from stealing.
    3. Display the testifying website web address. This helps to establish the trustworthiness of the testifier.
    4. Display the name of the public key. Name the public key to allow finding it on the webpage for downloading of public keys.
    5. Display the hash code of the public key, and the hash algorithm that was used to produce it. This helps to prevent errors.
    6. Display the address of the webpage on the testifying website where are listed its public keys for download. Do not use links.
    7. Display the address of the public key on the testifier website. Do not use links.
    8. Display the settings/parameters used to produce the signature. Including when using the Act On File standard/default settings.
    9. HTML (text) files are most suitable for testimonials as they are easy to embed, can be formatted, and are index-able by the search engines.
    10. Avoid using links as they may be deceptive.
    11. Content of an example testimonial file:
      This is an example of an authenticable testimonial. The purpose of this testimonial is to suggest an appropriate layout for testimonial files. Other layouts may be also suitable.
      • The top section in this layout design contains the testimonial message, date and signature. The reference data and the signature properties follow them.
      • Using links in the testimonial message is fine, but links in the reference data is not recommended as links can be deceptive.
      • Formatting the testimonial may be a good idea. However testimonials listed on the same page which are formatted differently may not be aesthetical.
      • Since testimonial files are embedded in the webpage displaying them, it usually is a good idea to set the width and height of the container such that less important information is viewable via scrolling as in this example.
      4-th April 2016

      Example Art Gallery

      Public keys page:
      Public key name:
      Example Art Gallery Key 1
      Public key hash:
      SHA1 = E7702064633FACEF0D207B8F9DBC3CF23B20E368
      Public key:

      Signature properties:
      Byte order:
      Big endian

  2. Testimonial signing:
    1. Generate and use a new public-private key pair for each authenticable testimonial you sign and give. This allows you to revoke testimonials by removing the public key used to authenticate them from your website, without this affecting other testimonials. Note: use the same private key to sign a testimonial which has multiple versions, e.g. translations, as this is one and the same testimonial.
    2. Irrecoverably destroy the private key used to sign the testimonial immediately after signing it. This prevents from misusing the private key in the future. Use the Eraser module of Act On File to irreversibly destroy any file.
    3. Use the standard/default Act On File settings to produce the testimonial signature. This minimizes the possibility for errors.
  3. Publish the public key on your website:
    1. Place the public key in a folder dedicated for public keys. Keeping tidy server helps the site maintenance.
    2. Include the attested website domain name and the title of the testimonial in the filename of the public key. Helps for easier maintenance.
    3. The public key must always be available for download for as long as the authenticable testimonial which requires it is online.
    4. Add a landing webpage for visitors coming from attested websites, listing your public keys from which they can be downloaded.
    5. Do not change the URLs of the public keys and the page listing them as they are referenced by the testimonials and attested websites.
    6. An example testimonial public key URL might look like this: http://www.website.com/public-keys/www.website.com.key1.public-key-auth-verify.

Best Practices when Publishing an Authenticable Testimonial - FOR WEB DEVELOPERS

  1. Upload the testimonial file and its signature on the attested website.
    • It is recommended to use a dedicated folder for the testimonials and their signatures.
    • The following naming convention might be found helpful by some visitors and is recommended but not necessary:
      - testimonial filename format:
      [filename].[document type].[ext]
      - signature filename format:
      [filename].[document type].[ext].signature
      where [document type] is the type of the document, e.g. testimonial, review, document, etc.
    • Upload the testimonial on the website they testify for. Reminder: testimonials should contain the name and address of the attested website in order to prevent their unauthorized use by third parties on other websites.
  2. Publish the testimonial ready for both automatic and manual authentication.
    • Automatic Authentication - use http://www.authenticatetestimonial.com and provide automatic authentication link to allow the visitors of your website to make a two click authentication of the testimonial (see an example). The authenticatetestimonial.com website can authenticate testimonials automatically based on parameters provided through the web-request query string. The parameters provide information such as the URLs of the testimonial which will be authenticated and other required files, and properties. For avoidance of confusions and best user (visitor) experience all parameters are mandatory.

      Testimonial File Parameters

      The URL of the testimonial file on the attested website.
      The type of the hash used to produce hash code of the testimonial file in standard byte order. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
      The hash code of the testimonial file in standard byte order, expressed as a string of hexadecimal values, e.g. 446CE282BE959832BC36866F8E. The hash type and value parameters help to prevent errors due to accidental replacement of the testimonial file and other similar. Use Act On File or other capable software to generate hash code when building an automatic authentication link manually, or the Generate Automatic Link service to directly create links.

      Signature File Parameters

      The URL of the signature of the testimonial file on the attested website.
      Same as the testimonial_hash_type parameter but for the signature file.
      Same as the testimonial_hash_value parameter but for the signature file.

      Public Key Parameters

      The URL of the public key on the testifying website required to authenticate the testimonial.
      Same as the testimonial_hash_type parameter but for the public key file.
      Same as the testimonial_hash_value parameter but for the public key file.

      Authentication Process Parameters

      Hash algorithm used to create the signature. Recognized hash types are SHA1, MD5, SHA256, SHA384 and SHA512.
      Flags used to create the signature of the testimonial. PKCS1 is the only supported flag at the moment.
      Byte order used to create the signature of the testimonial. Available values are big_endian and little_endian.

      Administrative parameters

      The URL of the webpage on which is placed the automatic authentication link. The webpage must be the same domain as the testimonial. The webpage existence on the same domain and the automatic authentication link on it are used as a test for the legitimacy of the request.
      Email address to which to send error notifications if testimonials authentications fail or cannot be performed. In order to avoid misuse of this service the provided email address must be on the same domain as the testimonial.
      Selected language of the http://www.authenticatetestimonial.com website when reached following the automatic authentication link. Currently available languages are Bulgarian and English. Recognized values are BG and EN.
      Note 1: In order to use automatic authentication all parameters must be provided.
      Note 2: Remember to URL-encode the values of all parameters.

    • Manual Authentication - provide the data necessary for the testimonial authentication. See examples at the example implementation page.
      • Place download links for the testimonial, signature and public key files as full, readable URLs so that the visitor can use them for semi-automatic authentication, or download the files for manual authentication.
      • Place links pointing to the testifying website and their public keys listing webpage.
      • Provide the signature properties required for the testimonial authentication.
      • Provide links to the authenticatetestimonial.com online service, and desktop authentication capable software e.g. Act On File or other.
  3. Provide explanations of how to authenticate testimonials automatically and manually.
  4. Be sure that all published authenticable testimonials can be authenticated.
    • Always verify that newly published testimonials can be authenticated properly.
    • Periodically verify that testimonials published on static pages are still authenticable (e.g. there is no missing file or other reason for testimonial authentication to fail).
    • Use scripts to verify that testimonials published on active pages are authenticable before showing them to the visitor, and if not hide them and send an error message to the web master. A simple but sufficient check is to verify that all related files are in place and their hashes match some expected values. Such measures will prevent from failures to authenticate testimonials due to accidentally overwritten or moved/deleted files, and at the same time will notify the web master about the issue.
  5. Keep copies of the public keys for all testimonials. Should a testifying website lose the public key for the testimonial they gave you, e.g. due a server crash and lack of backup, then you could provide them with your copy of the original public key, instead of asking them for a new testimonial and/or signature.
Previous: Authentication Protocol for Website Testimonials
Next: Authenticable Website Testimonials Example
Custom Image Presenter
for Galleries and Museums
for Hotels, Resorts and Cruises
for Parks of any kind
for any business
Act On File
Audio Control
Custom Image Presenter
Photo Window
Vat # Validator
Encryption and Authentication
Safe Online Communication
Make Website Trusted
Learn how to store private keys
Photo Window, an Awesome Gift
My Account
FAQ - Forum
Buy Now
Public Authentication Key
Public Encryption Key
© Copyright 2016 MBBSoftware. All Rights Reserved.

What are public authentication and encryption keys?
Public Authentication Key
Click this link to download our Public Authentication Key. Public Authentication Key is used by the recipients of digitally signed documents, e.g. sent by email or otherwise, to confirm the authenticity and integrity of the documents. Use our Public Authentication Key and Act On File or other capable software to authenticate any digitally signed emails and documents that we may have sent you. Our public authentication key is also used to authenticate the authenticable testimonials which we have given to our suppliers, customers and other partners. The testimonials are usually posted on the testimonial recipients' website(s). Learn more here.
Public Encryption Key
Click this link to download our Public Encryption Key. Public Encryption Key is used to encrypt information, in a way that only the holder of the complement to it Private Key can decrypt it. Use our Public Encryption Key and Act On File or other capable software to send us any private information that you may want us to have. Learn more here.