Gregory's ServerJust woke up and learned about #fedified. I literally work at my day job on technology to aid verification of sources and let me tell you: it seems like a pretty big hack of a project that misses the point. Basically you have to trust the humans who run that site. What we actually need is buy-in from organizations to provide rel=me linkbacks to their various representatives. And for unaffiliated people who want verification, you add it to your website. That's it. We already have it on Mastodon
 81 comments
Funny thing: I was going to set up some meetings at work this morning to talk with, you know, actual experts on content and identity verification to see if we can come up with some tools to AID rather than SUPPLANT the already rather good and decentralized system we have. (For example, your employer might literally just be unwilling to add a rel=me for you for baroque IT reasons. So how do we make that easier for them? Etc) Anyway I'm still gonna do this @darius ignoring the snake oil of web3.0 / nft rubbish that undermines it… identity is an area where blockchain as a technology could work well if you’re trying to maintain decentralised trust.  @darius Any thoughts of adding something like the old PGP Web of Trust concept? Solve Mastodon's verification problem and *also* solve PGP's key distribution problem? @admin ah, yes, I was a (distant) advisor on a master's thesis that was similar to this And yes "you can check that on Google easily" implies that Google can be trusted and it can't all the time. Ultimately at some point you do have to simply trust SOMEone, SOMEwhere. What I'm saying is that I don't trust a random person who bought a domain with "fedi" in the name and set up a directory  @darius hang on lemme scroll through all 4000 words of https://book.keybase.io/guides/proof-integration-guide  @darius or random people with servers—that issue of trust is what has held up some people I know from joining Mastodon  But also: this could be a mass harassment vector for journalists! Someone goes to trust.txt, scrapes every account there, and harasses them. But I do think that once you say in an official capacity "I am affiliated with [org]", you have to assume that anyone can find that info and can and will scrape it even if there isn't a directory available. idk. tough design space 
[DATA EXPUNGED]
@polymerwitch well, the fallback is a literal text file on the root of your domain. so someone could maintain that in excel and just export it as needed @darius I'm interested in this idea, could you elaborate on it? - What stops a malicious actor from spoofing a trust.txt and using that as validation in a similar way to phishing? ("verified by 'nytines' dot com", etc.) Would sites needs a whitelist of valid trust.txt sources? - On a related topic to the harassment vector point you had: how would you sell trust.txt to orgs that are interested in verification but do not normally want contact exposure for some personnel? (ex. directors and exec) (1/2) - you're right, spoofing is simply always going to be a threat where DNS is involved, but also anyone could spoof the service that I mention in the original post too the same way. "fedifeid" or whatnot. solutions that get around that are huge crypto-based things that are unlikely to play nice with IT infrastructure at say, news orgs (2/2) - it's a necessary tradeoff. if an exec wants to say "I am truly CEO of CorpX on LinkedIn" then the point there is to publicly broadcast that that is who they are. This is about linking public profile information to public institutions (at least in the journalism context here) @maxb huh? it's a website of a nonprofit called JournalList. the link is to a pdf. they don't know anything about federation. this is just a specification @darius i wonder if there'd be a way to let the mastodon user generate a short hash that they just need to place someplace on the page (maybe even temporarily?) like maybe i can't modify html in a page on my institution website but i can copy a hash string, place it at the page at the foot of the page, and then verify (maybe even let me place it temporarily if my IT admin doesn't like it; then you might want to say "last verified 6 weeks ago" or something) @darius I'm sure you're aware of them already but https://www.yoti.com are probably worth chatting to.  @darius Apparently qualified. "come for facts, stay for snark, & wear a mask | immigrant | husband + dad | equity advocate | recovering healthtech exec/entrepreneur | infosec researcher | anesthesiologist | nerd 🤓 JOINED  Man that whole idea sure does have strong "I just came in from Twitter and what this decentralized network needs is some SERIOUS CENTRALIZATION" energy. And lo and behold its creator has an account created a week and a half ago. Kudos to him for a super fast solution to a problem he sees, I guess, but... @darius @rysiek The obvious "other solution" is, at least for smaller instances, to run your own verification service, and let other users trust or not trust that verification. It all really depends a lot on what you're trying to verify and why - is it equivalence with AFK identity, or affiliation with certain groups, or being the actual beneficiary of a fundraiser or Patreon, and so on  > "well you can just buy any old domain name and pretend to be whatever org you want" And then that's how he came to buy Fedified.org and pretend to be whoever he wanted. @darius yeah felt very much like “let me appoint myself as s central authority for a technology that I don’t understand”. @darius There is literally no way of proving who I am without this. Not multiple years of post and interaction history, not my single-user instance with my name in the username and domain name, nothing. @jasonscheirer I don't understand. Why don't you add a link to your mastodon from https://www.jasonscheirer.com/? Then you'll get a green check on your profile and that's that @darius I was being facetious and fully agreeing with you. I have the check mark. "Verification" _should_ be organic. @darius Totally agree. I participated in that list when it first launched because I thought it was just going to be a list people checked when trying to find people they followed on twitter. I have no interest in them turning that into being an "authority" based on rel=me links to their own list.  @darius So personally I tend to look at my project websites as something my *social media profiles point to*, rather than something that *drives traffic to my social media profile*. I have *never* linked my social media from my professional websites, because my websites are my professional face and my social media are where I talk about dicks and tits and such. I include my project websites on my resume and I don't want an employer seeing my (personal) social media. @mcc fwiw the rel=me just has to be somewhere in the DOM. I have it set to display:none on several sites
[DATA EXPUNGED]
 @darius Getting verified should be: my account is hosted at the domain that gives me legitimacy. @john almost correct - it is possible that 1) you wish you verify you are employed somewhere 2) you don't want your social media hosted by your employer Rel=me links are a good way to account for this @darius My understanding (from the person who created it) is that it is only meant as a temporary thing, to help people who were following journalists on the birdsite know that they were following the same journalist here on Mastodon. But you're right; it's a human-powered project which must be very time-consuming, and since we can verify ourselves in other ways, I wonder how many people actually do use it.  @darius another thing that works: Big organizations that might _need_ verification, like parties, should simply run their own server from their own domain. I know if an account is on social.bund.de that it is a legitimate german government account  @darius And for the "buying an old domain" thing: If you really need "deeper" validation, get an Extended Validation SSL certificate. At 20 bucks per month it pays at the third blue tick. And it shows available technology chains nicely.
[DATA EXPUNGED]
 @darius It would be good if there were other methods than rel=me for sites where you don't have access to the HTML, especially other social media sites. Perhaps something like a plain link to your Mastodon profile with ?rel=me appended could have the same effect?  @darius Actually, it is not really a hack, but a darn great idea. You go where you feel safe and wanted - your instance. Then you can reach out in the #Fediverse to follow who you do trust. You can easily block users or entire instances should it be necessary. You get used to it. @DoctorDNS I'm sorry, I don't understand how what you are saying has anything to do with what I am saying. I agree with every word of your post except the first sentence.  @darius I thought about a democratic vouching system but I’m not skilled enough to write it. (Each voucher could also be vouched for within the system) @darius 100% agreed I asked #SquareSpace support to add an easy way to insert rel=me on their hosted sites (they support custom headers if you have premium service, but not the regular service). If lots of folks make similar requests, support should come. It's a trivial feature to add. of course, lots of web hosting services already have the hooks @darius I think the problem you run into is non-techie people trying to onboard themselves but do not have the time or desire to build a whole website to give that verification meaning. What we need is a way for Mastodon's verification system to allow people to verify by putting their link somewhere on their other social media profile(s). @darius it should really be a part of mainline mastodon. maybe there's already an issue open for it on GitHub? @NervousGamedev the problem is that just providing a link is very hard to verify. For example, if all I needed was a simple linkback I could comment on a NYTimes news article with a URL to my Mastodon profile, and link the NYTimes article and be "verified". There are fixes for that but they are tricky and there are many holes in it. The reason why we check for a "rel=me" HTML attribute is that writing unfiltered HTML is typically not allowed by commenting systems @darius most social media sites have places on profiles where you can put links that no one else can touch, and that's something that can be scraped. no one else can edit my twitter bio or profile website link on my other socials. if your main internet presence is on instagram and you're joining mastodon, the HTML that displays your public profile data is the most appropriate place to be looking for a link to your mastodon account. you don't need the HTML rel link at that point. @NervousGamedev right but that would need to be in a machine-readable, consistent format across all of these websites. If Instagram changes where someone's bio is stored (or even just the HTML in which it is structured or the API calls needed to get that info) then everything breaks. |
@darius y u p