[stasm]

> They own the domain.

It seems like a wasted opportunity to set up a new domain (in this case: wikimedia.social) rather than use an existing one with a subdomain, e.g. social.wikimedia.org or social.wikimediafoundation.org. With a new domain I still have to do the work to verify whether the domain is indeed owned by the Wikimedia Foundation.

[marksomnian]

There's some background at https://phabricator.wikimedia.org/T337586 - a wikimedia.org subdomain was out of the question due to security concerns (it'd involve giving a third party a SSL certificate for wikimedia.org) [1], and wikimediafoundation.org was ruled out because it could cause confusion about volunteers' relationship to the Foundation [2]

[1]: https://phabricator.wikimedia.org/T337586#8932905 [2]: https://phabricator.wikimedia.org/T337586#8936483

[j1elo]

From your first link, it seems the decision to use a different new domain stems from difficulties getting the server's HSTS policy right, and it even seems they had a similar issue in the past with having the store as a subdomain [1].

If that's true, for a use case as functionally basic as having a store and a social instance in their respective subdomains, it looks to me like a complete failure of HSTS, a case of technology causing problems that shouldn't exist to begin with.

[1]: https://phabricator.wikimedia.org/T337586#8920625

[marksomnian]

It's not linked there (or on any Wikitech pages I can find), but I can imagine there's a secondary concern of *.wikimedia.org cookies getting sent to third parties - e.g. Stack Overflow has separate second-level domains (stackoverflow.email/stackoverflow.blog) for their 3rd-party-hosted email service and blog for exactly this reason (cf. https://nickcraver.com/blog/2017/05/22/https-on-stack-overfl...)

[account42]

Seems the real issue is that Mastodon is too hard to self host if not even Wikimedia wants to do it.

> it'd involve giving a third party a SSL certificate for wikimedia.org

You can have certificates for subdomains. With Let's Encrypt you still need to control the root domain to generate them so they'd have to setup something for that. But that's more a can't-be-bothered concern than an actual security concern. Teaching the public to trust random domains being authentic is a much much bigger security concern anyway.

[soneil]

I think it'd be great if there was a way to push the identity through a different domain. @foundation@mediawiki.org or such. Needing subdomains is so clunky - imagine if you were example@mail.gmail.com, yuck.

We can get half way there with /.well-known/webfinger - but the alias that provides doesn't show up in the feed, so that's not the username I find from links like OP's.

[scrollaway]

There is a way in activitypub, but Mastodon itself doesn't support it well. Takahē supports it (https://jointakahe.org/).

[Kye]

It can accrue reputation the same way Wikipedia.org did while providing a spot to add other things like PeerTube without worrying about the security peculiarities that led to them choosing this route in the first place.

https://phabricator.wikimedia.org/T337586#8920625