[shrink]

I like the domain name identity model used by AT (so much so I built handles.net[1] for managing domain name based handles) but during my time reading opinions on Bluesky it has become apparent there's a lot more confusion about and distrust towards domain names amongst non-technical people than I previously thought.

I thought that people generally understood that domain names are owned and that their provenance can be independently verified (which is why they're valuable for identity) but there's a fairly large and vocal contingent of Bluesky users that are frustrated by domain names, so much so there are multiple efforts to establish a private verification system on Bluesky like verified.quest[2].

A lot of people do not want to look at and understand domain names, instead they want to see a name and a check mark. They want a central authority to tell them who is trustworthy and who is not. Domain names are a great solution for technology-adjacent people and I hope that they become more widely accepted, but I'm not too optimistic.

I am optimistic and hopeful that AT has a bright future ahead of it. I think AT has a lot going for it... but I do not think that identity will be a part of that. I suspect many apps built on AT will not bother with handles and will just use local display names.

[1] https://handles.net [2] https://verified.quest

[drdaeman]

> domain names are owned

Are they really owned? I’ve always thought they’re [f]actually merely temporarily leased from a registry, and the ownership is just a legal fiction.

Unlike cryptographic keys, I don’t think domain names really pass the “can they be taken away without owner’s consent?” test. On paper maybe they should, but that’s certainly not how it is in reality.

Attaching digital identity to something that comes from a third party (a registry) rather than individual themselves is a fundamentally wrong idea.

[layer8]

It depends on the jurisdiction. In the EU, the European Court of Human Rights decided [0] that domains constitute a contractually acquired property or possession in the sense of article 17 of the EU Charter of Fundamental Rights [1]. So at least as long as you pay for the registration, your domain cannot easily be expropriated from you. However, it can for example be subject to garnishment. Of course, these property rights can likely only be fully ensured legally for domains under a CC TLD of the EU.

[0] https://hudoc.echr.coe.int/eng#%7B%22itemid%22:%5B%22001-826...

[1] https://fra.europa.eu/en/eu-charter/article/17-right-propert...

[drdaeman]

Paying for an identity sounds extremely dystopian to me.

[layer8]

I see it more like a phone number or postal address, which implicitly also identifies you. Maintaining it generally incurs costs one way or the other. Heck, even the mandatory renewal of national ID cards isn't free.

[drdaeman]

I believe that identity and identity attestations must be well-separated concepts. I am myself (identity), a government had issued me a passport for $name (attestation), and my friends know me as $nickname (another attestation), etc etc.

Third party attestations/endorsements can be based on any conditions, such as payments, behaviors, or whatever - that's up to third parties to decide. But those mustn't be my identity (because that way my identity becomes something a third party controls, and that's not how things are), they must only refer to it.

It's basically Web-of-Trust again (and I realize any attempts to build a digital one had failed so far)

[jazzyjackson]

Well, think of it as a technical term and not a metaphysical one then. Self sovereign cryptographic identification is great, but at some point you have to choose a global namespace so people have a handle to address you by, your choices are some centralized dictatorship like a gmail address or a twitter id, or you can use the globally and politically distributed name resolution system with decades of legal precedent we call DNS.

EDIT: I will concede there is likely some kind of peering/pubsub architecture that would allow for connecting to people you know via QR codes of their DIDs and then using nicknames you distribute to those followers or whathaveyou, I for one am enamored by the design of KERI [0], but I guess you have to decide whether you want people to open a connection to you without any prior negotiation with any of your peers. But if you're OK with people having to be "in-network" or part of a gossiping p2p setup, maybe we can get by without paying third parties for identities.

[0] https://keri.one/

[drdaeman]

My concern is that technical quirks tend to sometimes bleed out of their domains and start to change our perception of the society/world itself.

In the meatspace, I'm sure I don't have any single global handle. Here I have an online handle, my wife has a nickname for me, my friends use various names and nicknames too, one country's government had issued me a passport for one legal name, another country's government - for a different one, and so on. So I wonder if thinking of choosing a global namespace is actually a design mistake, as it doesn't match how the world works.

This said, KERI looks interesting - I like the idea that there's no single global ledger, as it matches my own thoughts on the matter. Thank you for the link, I'll save it to my reading list.

[jdougan]

If you add date info to a domain it can work. See the fdc URN scheme for an example. Otherwise, you are right. I'm not sure why they didn't do something like this with ATproto IDs.

https://www.rfc-editor.org/rfc/rfc4198.html

    urn:fdc:domain-i-controlled-in-2022.com:202212:resource:fred

[ethbr1]

> Attaching digital identity to something that comes from a third party (a registry) rather than individual themselves is a fundamentally wrong idea.

That feels like a turtles-all-the-way-dowm problem.

Ultimately, you either have to tie to something suitable that can be obtained by everyone or a unique characteristic of everyone.

And given the blatant privacy issues [0] with uniquely fingerprinting users, I'd much prefer the former alternative.

[0] https://en.m.wikipedia.org/wiki/World_(blockchain)

[verdverm]

There is an amount of legitimacy to the domain issue, at least to me if one considers how certain phishing attempts leverage human (lack of) observation patterns. Like if someone had a bunch of identities under goog1e.com

I see having independent, from Bluesky, and multiple methods of verification as a strength of the network and architecture.

[spencerflem]

for sure- or for someone less famous than one of the hundred domains we all memorize - is philjamesson.com or pjamesson.com or philjamessoncomedy.com or philjamesson.net the real one etc.

[xp84]

Yeah. One of the most pervasive problems I’d argue of the “web” era is the conflicting needs for canonicalism (e.g. I want to know when I see a “Jack Nicholson” account that it’s that Jack Nicholson) with the fact that very few people have unique names or other obvious identifiers. And half of companies don’t either (e.g. the Beatles’ record label Apple Corps vs Apple, Inc. — which owns Apple.co.uk? Whoever grabbed it first, of course!)

Every service with handles is just another microcosm of the DNS system’s same problem, just usually with even fewer affordances for disambiguating (the DNS’s country codes and things like .org vs .com offer a single crude sorting system, but we’ve seen it solve very little since the move is to “buy ‘em all” if you’re big, witness how WWF the charity couldn’t peaceably coexist with WWF, now WWE just by using .org and .com)

[ethbr1]

The seems like it would best be solved with an additional, optional attestation layer on top of domain-based uniqueness though.

Nobody cares if I'm ethbr1 or ethbr2. Uniqueness and stability suffices for me.

People do care if {famous person} is {famous person}. Therefore there should be some attestation process for mapping who the current official domain is for {famous person}.

[verdverm]

Attestation is a great way to think about this, similar to cosign/sigstore. We can label an existing record or associate new records with it to support this feature. Multiple entities can attest and their track record, transparency, and reputation can feed into those which people decide they trust

What I like about ATProto is that it is decoupled like this, even if it still has weak points in terms of decentralization. We can build and extend outside of the choices and governance of Bluesky. It is a true platform in the sense that will make the participants more money than the originators in the long run

[ryan29]

I think that once you have domains as an identity, you can solve a lot of problems with the idea of 'just add money'. If $1000 gets me a gold check mark, it changes the economics of impersonation. Is it worth it to spend $1000 to get a gold check mark on 'goog1e.com' if a brand monitoring system is going to get that moderated out of existence in a couple of hours?

That's also why domain verification systems need to have continuous re-validation with more frequent re-validation for new identities. For example, if '@goog1e.com' is a new identity, it should be re-validated after 1h, 4h, 8h, 16h (up to a maximum). Additionally, you could let other validated users with aged accounts trigger a re-validation (with shared rate limits for a target domain).

The great thing about domains is that those of us that are good faith participants can build a ton of value on them and that value can be used as a signal for trustworthiness. The hard part is conveying that value to regular users in a way that's simple to understand.

We could also have systems that use some type of collateral attestation. For example, if I donate $1000 to the EFF, maybe I could attribute that donation to my domain 'example.com' and the EFF could attest to the fact that I've spent $1000 in the name of 'example.com'.

You probably have to gate that though some type of authority, but I can imagine a system where domain registrars could do that. I would love to buy reputation from my registrar by donating money to charity.

[immibis]

In the latter case, if you are the EFF, or any other recognized charity (and if you allow a lot of charities that's a lot of people) you can assign a trillion dollars to any domain you like, which is usually cited as a reason to avoid this type of system.

And if the EFF turns bad in the future you can't get a verification badge without supporting bad guys.

[HeatrayEnjoyer]

This is always true any time you have more than 1 human involved. People can always become corrupt and dishonest, and no technological solution will solve that.

[verdverm]

> you can solve a lot of problems with the idea of 'just add money'

You also create a lot of problems and break trust, see the recent US election for an example

One-size-fits-all solutions are always inferior to a system that enables multiple solutions to co-exist and which are forced to compete

[tomrod]

> A lot of people do not want to look at and understand domain names, instead they want to see a name and a check mark. They want a central authority to tell them who is trustworthy and who is not. Domain names are a great solution for technology-adjacent people and I hope that they become more widely accepted, but I'm not too optimistic.

As with most things of moderate import or more, the vibes matter.

Setting up your own domain is pretty simple, but it is also daunting for people their first time.

Even with all the hand holding in the world, without 1:1 human interaction most people won't make that jump.

[Onavo]

The daunting part is usually DNS. Also, a major flaw with domain names is the fact that they are subject to the whims of the provider. What if your last name is Nintendo? Are you going to spend your time disputing every single DMCA and domain seizure request that come your way?

[cidor]

Or if your last name is Nissan: https://en.wikipedia.org/wiki/Nissan_Motors_v._Nissan_Comput...

[captainmuon]

As a user, I'm mostly fine with making an account with Google or Meta and using that as my identity root. I know there are a lot of problems with that, for example you can lose your account, but you have all the same problems with a different party that registers domains. Besides, the domain model is more complicated and I've had domains lapse, had problems with transferring, and so on.

What I'd want is:

1. register with some trustworthy third party (be it Google, Bluesky, or whoever), get an identity (can be a domain, but an entry in a database is fine)

2. have the option to craft an identity from thin air (by generating a key pair on my laptop)

3. have the option to move between 1. and 2. or between multiple instances of 1. (identity takeout)

4. (bonus) have the option to create sub-identities: I can register a completely new pseudonymous account, but have some (cryptographic) proof that this identity has certain properties: it is tied to a Google employee, to a woman, to someone with > 10.000 Stackexchange score ... without anybody being able to link that account to the person.

I think 1 and 2 are solved, 3 is quite tricky from a UX perspective, and 4 is going to be really hard (but would enable a lot of cool scenarios).

[derektank]

I don't even think it's the technical barriers per se that makes people distrust domain names as a form of verification. I think the idea of competing sources of truth creates some uncomfortable cognitive dissonance for a large number of people which drives the demand you identified for a central authority.

[lxgr]

But domains could be that central authority, in a way that regular "verified names" can't be.

With social media handles, it's the eternal game of finding something that's available everywhere, or doing the awkward dance of "i'm @foo (except for platforms B and C, where i'm @_foo)".

I wonder if there is a future for a service mapping domains to human-interpretable names, though?

[verdverm]

Both domain and non-domain, or 3rd party, based verifiers have a trust relationship, which can be undermined by breaking the expectations. Musk Social certainly did this when they made it pay-to-play and removed the blue check on well known accounts the overlord became displeased with.

ATProto specifically advises against shortening domains into some "human readable" format. For example, @foo.bar.com and @foo.baz.com could easily look the same. The full path is unique. What Bluesky provides is a "display name" in addition to your handle. Multiple people can have the same display name, but it always appears next to the full handle

https://atproto.com/specs/handle#usage-and-implementation-gu...

[madeofpalk]

except what makes lxgr.dev authoritative over lxgr.net?

How does… Movie Star get an authoritative domain that people can trust?

[lxgr]

Since I'm not a celebrity, one is as authoritative as the other :)

But one of them I can receive email on and it also hosts my blog, and if I wanted to, I could reference it here in my bio, just like how people do it for "non-self-custodial" social media identities.

It's not perfect, but at least it works across services for regular people without any risk of "handle sniping" once a new service becomes popular. (I suspect that for regular social networks, different rules apply to celebrities than to regular people.)

And for companies, there's always trademark law, which is already heavily integrated into the domain registry framework: Also not perfect, but definitely better than replicating the same solution to n services/sites.

[mrtesthah]

Someone should tell these people about Keybase.

[jazzyjackson]

someone should just buy bsky.nyc and sell subdomains for people that have Real IDs with a NYC address, then my handle could be @jazzyjackson.bsky.nyc and anyone who knows about the system then could trust I'm using my government name and that I'm not a russian bot.

But yeah I was disappointed with the lack of adoption there. The CEO of the onion is a prolific poster and has to deal with scambots but can't be bothered to use onion.com in his handle

[immibis]

But I don't want random bluesky users to know my government name.

[numpad0]

Tying legal name to social media exacerbate toxicity too. People are more likely to double down on mistakes when their reputation is (perceived to be) at stake, and published legal identities are prone to abuses.

[Jarwain]

Not sure you're the target audience for this kind of verification. I see it being more for people with a public persona

A parallel might be not necessarily a Public persona, but still identity verified

[ryan29]

The platform owners have spent two decades de-emphasizing domains, so it's not too surprising that most people struggle to understand how they work. I think that can change with education and awareness if domains as identity start to catch on. It just takes time.

For now, I think wider adoption of things like DomainConnect [1] would make a difference. It works really well to set up an MS365 account with DNS hosted at Cloudflare, but it would need a workflow that supports sending requests to your DNS admin rather than assuming everyone is a DNS admin.

> A lot of people do not want to look at and understand domain names, instead they want to see a name and a check mark. They want a central authority to tell them who is trustworthy and who is not.

I think 'trustworthy' is a key word there and would add that I think a lot of regular people conflate identity verification with moderation. It's important to keep those separate because as soon as an identity system becomes a moderation system, it's worthless.

That's what makes domains so great for identity, especially with the way the AT protocol works. It helps to create a clear separation between identity verification and moderation. Moderation is much harder than identity verification, so having a clear line between the two should make it easier to develop technical systems that perform identity verification.

For pure identity verification, I think BIMI [2] is sitting on a solution they don't even realize they have. They're too tunnel visioned on email verification, but the system they've built with VMC (verified mark certificates) works as a decentralized system of logo verification. For example, I can tell you this logo [3] is trademarked and owned by 'cnn.com' and I can do it via technical means starting with the domain name:

    dig default._bimi.cnn.com TXT

Seeing a 3rd party URL in the TXT value makes me think the implementation is weak since that would be better as a CNAME pointing to a TXT record managed by a 3rd party, but I've never looked into the details enough to know if it'll follow CNAMEs (like ACME or DKIM do).

Also, the VMCs are only good for high value brands because CNN is paying DigiCert $1600 / year for the certificate, but, since it's just PKI, it allows anyone to put up that logo with a verified badge on the @cnn.com identity. A more accurate badge would be the registered trademark symbol [4].

Even though that only works for high value brands that own a logomark, it works extremely well and would be a great start to a system that's easier for the average person to understand because logos are a simpler concept than something abstract like domains and no one is spending the time and effort needed to get a fake VMC (if it's even possible).

The Bluesky implementation for domain verification has a long way to go though. It's very naive at the moment and doesn't even do a proper job of dealing with changes in domain ownership. In fact, almost everyone doing domain validation is doing it wrong because very few implementation do re-validation from what I've seen.

1. https://www.domainconnect.org/

2. https://bimigroup.org/

3. https://amplify.valimail.com/bimi/time-warner/I0vDrJpkRnB-ca...

4. https://en.wikipedia.org/wiki/Registered_trademark_symbol

[comex]

> instead they want to see a name and a check mark

How is that remotely surprising?

Most famous people are not known by domain names. Most are known by their real names. Some are known by usernames on particular services, like MrBeast on YouTube or dril on Twitter.

Maybe, if Bluesky stays popular, a new crop of Internet-famous people will be known by their domain names. But even then, you're probably not going to remember whether they're foo.com or foo.io or foo.bsky.social.

Some people, mostly in tech, do have well-known personal websites hosted at their own domains – but I for one rarely remember the specific domains, because I'm used to finding websites through search. (Off the top of my head I can only think of cr.yp.to.)

Companies are more likely to have websites and well-known domains, so there's that, but most social media users are individuals.

Besides, domain names are not more owned than Twitter handles or any other kind of username. If anything, they're less owned. When Elon Musk stole some people's Twitter handles, it was (tech) news. The expectation with most services is that you can register a name and hold onto it forever for free; at worst it might be lost if you're totally inactive for a long time. Meanwhile, domains require yearly payment. Once they expire, they're often instantly snapped up by a bot with no way for the original owner to get them back.

So in practice, people lose their personal domains all the time. Less common for companies, but companies do tend to let their names expire when they go out of business. Just the other day there was a front-page post about using this to hijack people's identities. [1]

Domain names can also be taken away for trademark infringement (UDRP) or by a court for other legal reasons (e.g. pirate sites often have their domains seized). Domains can be lost for political reasons, as with .af domains suspended last year [2] following the change of government in Afghanistan (originally thought to be caused by the message expressed by the names, in reality caused by payment issues resulting from economic sanctions, but either way happening for political reasons). You even have situations like .io where millions of domains might disappear in one stroke (though it probably won't actually happen).

[1] https://trufflesecurity.com/blog/millions-at-risk-due-to-goo...

[2] https://www.reuters.com/technology/brokeaf-goes-offline-afgh...

[PaulHoule]

(Feeling a little agitated today)

I suspect the average person believes "paying for services" = "slavery" and "free as in beer" = "freedom" and would, if pressed, would rather give their life than change that belief.