Unfortunately that’s how I’m beginning to see this too, a sign of old school nepotism and struggle to regain lost status. We’ve seen how this unfolded for Twitter.

Some employees aren't even verified!

I hear you. I haven't investigated every account that got the badge, but it feels to me like they picked people who are both technical and engaged with the protocol, so not entirely arbitrary. That naturally will have some correlation with "I know someone at bsky". I know I've seen accounts that I think are cooler than I am who didn't get verified yet! I'm sure they'll be expanding soon, which will dilute this sort of association.

An imperfect system is still better than nothing. Look what happened to Twitter with the removal of its verification (before feckless Musk had driven it fully into the ground).

I'd agree that would be nice, but at least they can change into that in the future if they want.

Hilariously, it's kind of less centralized than I expected: there's no "Bluesky is the web of the root of trust" here, only "Bluesky chooses which records convert to UI" which leaves the whole system open for others.

> I trust the NYT as far as I can throw them when it comes to verification

You don't trust the NYT to verify its own reporters?

Also, why do you say that in any circumstance? Who do you trust?

What's good is that the technical design here allows them to pivot into that if they choose, and alternative clients can already do that if they wish.

The NYT account on Bluesky does nothing besides make automated posts linking to their own articles. Why would account verification even matter in that case? It is in effect just a spambot. It posts links and doesn't engage with responses.

What's your concern with the NYT? Do you think they are incompetent and might verify people who are not who they say they are, or do you think that they are malicious and will deliberately verify bad actors, or something else?

Bluesky could always revoke NYT or any other 3rd party verification site if they abused it. The bsky community would identify bad verifications very quickly.

[dead]

I haven't tested it, but with my understanding, it should disappear.

I have no real insight. I do know that I am a big fan of Bluesky/atproto and post about it fairly regularly, and enjoy being friendly with the devs. They verified just over 200 accounts, and most of them are news organizations and their employees, and the rest are programmers who regularly use the site and/or engage with the protocol.

I think this makes sense, because 1. most people want this sort of feature for news and 2. the kinds of people they verified technically are likely to play around with it and see how sound it is, which is who I'd want to be kicking the tires.

I'm not sure when they'll verify more people, but this is only the beginning, for sure.

The problem I had with twitter was the check was supposed to mean one thing and one thing only: that the person was who he or she claimed to be.

What twitter starting doing was removing blue checks from people who were causing problems for the platform (but not behaving bad enough to kick off). This made no sense because people still needed to know if a person was who he claimed to be (e.g., Milo Yiannopoulos) even if the person was controversial or problematic or just plain nasty.

Blue Checks weren't "gutted". Now they just mean something else -- you're a premium subscriber.

What’s stopping me from making an org that hands out verifications to anyone?

The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that verification badges were merit and nepotism and not identity based

Why is it "meaningless overnight" on Twitter? Twitter knows who you are if you're paying them montly. Ergo, you are "verified".

Coming soon from Bluesky: per-country verification.

Very interesting; thanks. So it is possible on the tech side, but needs organisations to take advantage.

A long time ago there was this “web of trust”, I don’t think it exists anymore. Was one of the big CA and you could get different certificates through some form of vouching, I think it even went as far as meeting people to show your ID and then they sign you or something. As it was run by a big CA, not really distributed but IIRC they kept their involvement minimal. It’s been a long time but if you’re curious maybe look into that

There is a p2p social network (as in, people offering there services whatsoever) in France that does exactly this: it's called "Gens de confiance". It works well, although it creates kind of a gated community (as intended: it is mainly meant for upper-class social circles).

My initial thought is about GPG's "Web of Trust" system for trusting strangers' keys. But I don't know if that's a very good example since it always seemed somewhat esoteric and maybe not very successful in general.

"Working" would be a stretch, but this is how "web of trust" systems like PGP are supposed to function. Although I would say the BlueSky system sounds like it could skirt some of the pitfalls of web of trust because verifiers can also be trusted to revoke verification.

I think the more exclusive private torrent trackers usually work on that basis.

ArXiV. Though they don't revoke papers that way

Google Pagerank

Could use follows, retweets, etc instead of page links

> If you're trying to claim you work for NYT then get a NYT verified account?

Part of the problem here is consistent identity over time. People do not like changing their handles unless they want to. I'm steveklabnik.com now, but if I started working at the NYT, and had to switch to steveklabnik.nyt.com, old links break to my posts, etc. And what happens if I want to be verified by more than one org at a time? Domains (at present) can't do that.

> And whatever happened to Keybase?

They got acquired by Zoom and promptly put Keybase into maintenance mode.

> I don't see what the problem was with using domains.

DNS for your average user is too complicated. Also what should the domain name be for a journalist at the NYT? What if they leave the NYT?

I would have liked to have seen a justification for this as well. One thing about labels is that they can apply on a per-post granularity as well as a per-account granularity, but verification is purely account-level. Another is that they have slightly different semantics, you can lose your blue check if you change your handle or display name, but labels stay the same no matter what. That's probably the real justification for making it its own feature.

>it's a small site and politics is "banned".

Well, the “wrong” politics are.

>Because those conversations do end up happening elsewhere

All research shows the opposite in fact. Adding friction to something causes a chilling effect in nearly any and all examples we have ever paid attention to. When you remove easy access to guns, people kill themselves less despite there being other easy ways to do so. When reddit banned a bunch of toxic communities, the entire site had less toxicity, even on subreddits that were unrelated to the toxic communities

Friction works. It works insanely effectively too.

> It's the same as "Trusted flaggers" under the EU's DSA. Nobody trusts them. Just like when non-democratic countries call themselves "Democratic Republic"

Trusted flaggers literally need to publish transparency records and are approved by orgs in EU countries under elected governments.

If you say that is all bullshit and EU is a North Korea and North Korea is a shining example of democracy then you should probably remove your dig at DPRK's self naming;) Because your own comment measures non-democratic countries by the standard of democratic countries. if you want to be wrong be consistent at least

Being on both until recently, BlueSky feels less like an echo chamber than X to me.

Censorship is a negative frame when it also provides healthy platform moderation and safety.

I actually don't know what you are talking about.

NYT journalists are in a different class from random Bluesky users — if they spread unfounded conspiracy theories on their corporate-approved account, they can be fired from their jobs.

Put another way, a Bluesky post saying "BREAKING: Trump dies from natural causes" from an employed NYT journo carries a different salience than the same post from a random Bluesky user.

Correct. I'd like the example of NYT as a verifying authority better if I trusted the Times more than I trusted some of their journalists (blessed few, mind you).

I think it's pretty hilarious that the Times, of all people, count as 'trusted'. It makes me automatically distrust BlueSky verification, which doesn't sound like the intention.

> The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general.

On a technical level, any account can "verify" any other account.

On a practical level, blue checks are shown only if that verification comes from someone BlueSky trusts. Right now, that's bsky.app and nytimes.com.

> News organizations have in recent years started selling so-called "contributor" positions.

Which ones? I've heard of that with lower credibility organizations (Forbes, I think), but nothing like the NYT.

> they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed.

I think they correct things. I'm not sure they have ever been in the habit if notifying people of every correction, though it would be interestesting to have an edit history with diffs.

My understanding of that situation was that they could either remove that content from being accessible on Bluesky (the client) or have the site blocked entirely.

They landed on country-specific moderation, which is all publicly accessible and documented, allowing countries to label specific posts/contents and have them hidden in the country. Again, this is only on the Bluesky client; other clients can ignore the 'hide' label if they choose.

This is an article that details it pretty well and links to a few tools that allow you to view everything hidden by any country moderation team: https://fediversereport.com/bluesky-censorship-and-country-b...

I was misinformed about Bluesky. Thank you

I suppose if what you don't like about twitter is the people there (or the moderation), bluesky would make a lot of sense. I can't help but feel like the combination of catering towards businesses (verification) and people who don't like conflict (moderation) is recreating the same problem with a different demographic.

Am I anti moderation? No, not really. But the attitude blue sky users have towards it feels very much like wanting to be validated for not liking twitter('s users) rather than a forum for adults who enjoy seeing content from people wildly unlike themselves, which is what drew me to twitter 15 years ago.

Twitter was awful before Musk and is awful in a different way now. Emulating old awful is not good just because new awful is different.

Why isn't it a blue check on a white circular background? That would make it a blue check. It doesn't matter to me since to date I am not a user, I just thought it was interesting that people would accept a non-truth as an ID verification.

More that I actively despise most of what I see on the front page

We could always, uhh... go to NASA.gov. Weird, I know.

Real life people use AI. A good example of this is the lawyers who submit court filings with AI generated legal citations. The get caught because the citations are fake (the case cited does not exist).

>Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer.

Exactly! ;) Bullshit is still bullshit, whether it's under a real name or a pseudonym. Additionally, blue checks don't stop "real/verified" people from copy/pasting AI-generated content.

> The ability to put fake blue checks on your website isn't the point.

That's my point. ;)

Users can then choose to subscribe or unsubscribe from a Trusted Verifier, if one starts to act in an unsavory manner. That a Verifier exists doesn’t mean people have to use it

In the current system, anyone can verify anyone else.

No, I'm saying they should be much clearer about what their definition is. I also suggested a way to use implement their same "authentic and notable" definition via a trusted and democratic third-party like Wikipedia.

True to your name if nothing else.

Bewildering to me that seemingly any move in the right direction for social media is criticized with even more venom. How exhausting it must be to be stuck in such a frame of mind.

Showing users that these ideas work is a win, it doesn't matter what Bluesky does in the future.

Yeah, I can confirm that I have to go out of my way to find anything NSFW on any of my feeds (even while following multiple artists who occasionally post some risqué drawings), whereas politics are unavoidable.

Granted, I'm probably part of the problem, since I do post (and repost) some political stuff every once in awhile, but still.

I mostly discuss politics. I’ve talked about some technology stuff on there too, but it’s easily 95% politics.

> 2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.

That's because OV/EV certification are (currently) viewed/remembered mostly as "a bunch of bullshit that nobody sees the point in", and/or "a money-making scheme designed to allow big companies to throw money at the problem of looking 'more secure' than small companies, by showing up with a prettier lock icon/address bar state in web browsers" — ignoring the fundamental value provided by the design of the system, due to the pragmatics and politics of existing and previous (mostly previous) implementations of the design.

A site presenting an EV cert used to look like e.g. this in Firefox: https://upload.wikimedia.org/wikipedia/commons/6/63/Firefox_...

And this in IE/Edge: https://www.thesslstore.com/blog/wp-content/uploads/2010/06/...

Once browsers stopped visually differentiating sites signed by OV/EV certificates from sites signed by DV certificates with the big "green for go" coloration, corporations no longer had any motivation to get EV certificates, so everybody forgot they existed. This happened a decade+ ago.

(And then, in 2019, the last vestige of this distinction was removed, when EV certs stopped making browsers show the identified company name beside the lock icon: https://www.leaderssl.com/news/492-google-and-mozilla-will-s...).

Because of this, nobody today is really familiar with EV certs. But that doesn't mean they're hard or arcane; they're just obscure. And the process for getting one is clunky — but it used to be that the process for getting regular (DV) certs was clunky, too. The EV cert process just hasn't been updated with the times to match the ease of getting a DV cert, because nobody has cared to do so, because there's no demand.

But neither of those things mean that EV certs aren't fundamentally a good way to secure identity in a web of trust. Every code signing certificate is an EV cert, for example. And all cross-signed CA certs are EV certs. EV certs are still there, quietly underpinning much of X.509's security model, in TLS and elsewhere.

And as such, it's silly to recreate the EV validation ecosystem, but worse, for something (identity verification on BlueSky) that is pretty much exactly "the green address bar" use-case all over again — when we could instead just revive the dormant infrastructure that powered things the last time we cared about federated identity verification, and polish it up a bit for use in 2025.

> All of this would make it way too difficult to navigate verification for normal people

If they wanted, BlueSky could match what they're doing today by 1. setting up their own X.509 CA, and then 2. delegating the constrained ability to issue OV+EV certs to users from this CA, to named entities (like the NYT, as mentioned in the announcement.) Then you wouldn't have to do anything; everything could be handled on their end, with a BlueSky-CA-issued OV or EV cert just magically appearing bound to your BlueSky account.

(And they could — but wouldn't have to — get this CA into default trust stores of client devices. The BlueSky webapp backend would have the BlueSky CA explicitly in its trust store; as would any first-party native fat clients. Any third-party native fat clients would need to add the CA cert into the app and configure their HTTP client to use it. X.509 is not one global system; every X.509 root-of-trust creates its own tree-of-trust, which is only a web-of-trust insofar as multiple roots-of-trust can [but don't have to] cross-sign things.)

The point here is just that with X.509, big entities who BlueSky is unwilling to delegate identity-verification authority to, or who don't trust BlueSky — or, as BlueSky themselves say, the existing userbase at the point where BlueSky itself becomes adversarial to them — can step outside of this de-facto centralized trust model, by instead getting an different X.509 CA of choice to issue EV certs for any entities they want identity-verified; and then uploading (or in the case of a native app, installing) these certs to bind them to their BlueSky accounts.

In a bigcorp MDM domain, your EV cert allowing you to speak as @bigcorp_pr or whatever, would just get MDM-installed onto your device and you'd never even think about it. You'd just know that you actually can't log into that BlueSky account on any non-company device, despite knowing the password to the account, because no other device has the cert installed.

> and I'm not convinced it would do anything to stop determinated bad actors.

It does as much and as little as what BlueSky's announced approach — have human moderators check identity verifications using their common sense — does.

That's all EV validation is, in the end: collecting a bunch of information and then having a human look at it and say "yeah, this is really who should be getting certified to say they own this domain" or "no, this seems to be some kind of domain hijacking attempt." (Or even "this domain seems created to typosquat a popular brand, so I'm not granting the cert, even if the person really does own the domain." Denying typosquatters EV certificates is/was an explicit feature of most CAs' EV processes — although the term "typosquatting" hadn't been coined yet, so it was referred to as "trademark protection" or somesuch.)

The only difference, in leaning on X.509 infrastructure to do this, would be that you wouldn't have to rely on "BlueSky moderators" as your only group of people willing to put their reputations on the line to assert "yeah, this is who they say they are; they're really in charge of this business; and this business is a real thing—the one you'd think of when you see the name." You can go out and ask any company specialized in "having a reputation for making identity-validation assertions that everyone trusts" (i.e. an X.509 CA) to do it for you.

I don't know why HN is down voting you; you're right.

That said, your gray-status is exactly why I long since stopped pointing out that's what people want, and instead shifted my argument towards educating readers why that's bad. The dearth of informed electorates is a crisis plaguing humanity as a whole, and we sorely need to start shining a light on the practices that create this harm ("answer engines") rather than shaming users that engage with those traps alone.