Your digest suggestion for validating hidden fields is good, but I can see someone misreading that and thinking that they need to create a really random digest each time and send it.

Instead make it clear that what you mean is that the digest is kept at the webserver, and never sent. Of course leaving it static is also a bad idea, you should change it regularly. But what is important is that the CGI script can verify the hidden data, not that the user can.

Another thing that I am noticing. You may want to make some digressions into links, or produce an index at the top. Reading through your document is very different from referring back to it, and as it grows it could be hard for someone to track down interesting things you said.