Email or username:

Password:

Forgot your password?
Darius's posts Post Back to profile
Top-level
Darius Kazemi

Been talking to people at work about this whole verification thing and I was pointed to this really interesting specification for "trust.txt" -- basically a "robots.txt" and I could imagine it augmenting the rel=me thing that Mastodon already does. nytimes dot com could list their associated journalists' social media at this endpoint and Mastodon could do a handshake with that, similar to what it does with rel=me

journallist.net/wp-content/upl

15 Nov 2022 at 21:59 | Open on friend.camp
14 comments
Darius Kazemi

But also: this could be a mass harassment vector for journalists! Someone goes to trust.txt, scrapes every account there, and harasses them.

But I do think that once you say in an official capacity "I am affiliated with [org]", you have to assume that anyone can find that info and can and will scrape it even if there isn't a directory available. idk. tough design space

15 Nov 2022 at 22:02 | Open on friend.camp
blaine

@darius there's something interesting there. Thanks for sharing, filed in "folksprotocolonies" and labeled clearly "DO NOT ATTEMPT TO BIKESHED" 😅

15 Nov 2022 at 22:06 | Open on mastodon.social
Darius Kazemi

@blaine I will whack you with the no-bikeshedding stick if I have to

15 Nov 2022 at 22:07 | Open on friend.camp
blaine

@darius thank you. I know I can count on you. 🏑❤️

15 Nov 2022 at 22:09 | Open on mastodon.social
[DATA EXPUNGED]
Darius Kazemi

@polymerwitch well, the fallback is a literal text file on the root of your domain. so someone could maintain that in excel and just export it as needed

15 Nov 2022 at 22:08 | Open on friend.camp
Malle Yeno 🦝

@darius I'm interested in this idea, could you elaborate on it?

- What stops a malicious actor from spoofing a trust.txt and using that as validation in a similar way to phishing? ("verified by 'nytines' dot com", etc.) Would sites needs a whitelist of valid trust.txt sources?

- On a related topic to the harassment vector point you had: how would you sell trust.txt to orgs that are interested in verification but do not normally want contact exposure for some personnel? (ex. directors and exec)

15 Nov 2022 at 22:36 | Open on tech.lgbt
Darius Kazemi

@malle_yeno

(1/2)

- you're right, spoofing is simply always going to be a threat where DNS is involved, but also anyone could spoof the service that I mention in the original post too the same way. "fedifeid" or whatnot. solutions that get around that are huge crypto-based things that are unlikely to play nice with IT infrastructure at say, news orgs

15 Nov 2022 at 22:39 | Open on friend.camp
Darius Kazemi

@malle_yeno

(2/2)

- it's a necessary tradeoff. if an exec wants to say "I am truly CEO of CorpX on LinkedIn" then the point there is to publicly broadcast that that is who they are. This is about linking public profile information to public institutions (at least in the journalism context here)

15 Nov 2022 at 22:40 | Open on friend.camp
alys

@darius i guess the advantage of an instance like journa.host (or even a nytimes-specific instance) is that they could be keep an eye out for attacks targeting newsrooms' entire trust.txt lists and possibly handle it faster or more efficiently.

on the other hand, that might also overwhelm the moderation capabilities of a particular instance.

15 Nov 2022 at 23:39 | Open on selfy.army
Jan Adriaenssens

@darius To verify accounts associated with a public website (like newspapers or broadcasters):

You could diminish the "harassment" aspect by having the "trust.txt" document actually be a list of *hashed* accounts.

So when you want to verify whether an account is associated with a website, you can check this one-way (without being able to scrape the full trust.txt).

16 Nov 2022 at 8:47 | Open on mastodon.social
Maxb

@darius
Is jounallist.net a fediverse address ? Oh, is it misspelt in your post?

What other fediverse servers can we browse that have a high collection of verified, ethical and unbiased journalists whose aim is Truth and Facts, not corporate sponsored propaganda?

15 Nov 2022 at 22:08 | Open on federate.social
Darius Kazemi

@maxb huh? it's a website of a nonprofit called JournalList. the link is to a pdf. they don't know anything about federation. this is just a specification

journallist.net/

15 Nov 2022 at 22:09 | Open on friend.camp
Lilian Edwards
Go Up