[verdverm]

There is an amount of legitimacy to the domain issue, at least to me if one considers how certain phishing attempts leverage human (lack of) observation patterns. Like if someone had a bunch of identities under goog1e.com

I see having independent, from Bluesky, and multiple methods of verification as a strength of the network and architecture.

[spencerflem]

for sure- or for someone less famous than one of the hundred domains we all memorize - is philjamesson.com or pjamesson.com or philjamessoncomedy.com or philjamesson.net the real one etc.

[xp84]

Yeah. One of the most pervasive problems I’d argue of the “web” era is the conflicting needs for canonicalism (e.g. I want to know when I see a “Jack Nicholson” account that it’s that Jack Nicholson) with the fact that very few people have unique names or other obvious identifiers. And half of companies don’t either (e.g. the Beatles’ record label Apple Corps vs Apple, Inc. — which owns Apple.co.uk? Whoever grabbed it first, of course!)

Every service with handles is just another microcosm of the DNS system’s same problem, just usually with even fewer affordances for disambiguating (the DNS’s country codes and things like .org vs .com offer a single crude sorting system, but we’ve seen it solve very little since the move is to “buy ‘em all” if you’re big, witness how WWF the charity couldn’t peaceably coexist with WWF, now WWE just by using .org and .com)

[ethbr1]

The seems like it would best be solved with an additional, optional attestation layer on top of domain-based uniqueness though.

Nobody cares if I'm ethbr1 or ethbr2. Uniqueness and stability suffices for me.

People do care if {famous person} is {famous person}. Therefore there should be some attestation process for mapping who the current official domain is for {famous person}.

[verdverm]

Attestation is a great way to think about this, similar to cosign/sigstore. We can label an existing record or associate new records with it to support this feature. Multiple entities can attest and their track record, transparency, and reputation can feed into those which people decide they trust

What I like about ATProto is that it is decoupled like this, even if it still has weak points in terms of decentralization. We can build and extend outside of the choices and governance of Bluesky. It is a true platform in the sense that will make the participants more money than the originators in the long run

[ryan29]

I think that once you have domains as an identity, you can solve a lot of problems with the idea of 'just add money'. If $1000 gets me a gold check mark, it changes the economics of impersonation. Is it worth it to spend $1000 to get a gold check mark on 'goog1e.com' if a brand monitoring system is going to get that moderated out of existence in a couple of hours?

That's also why domain verification systems need to have continuous re-validation with more frequent re-validation for new identities. For example, if '@goog1e.com' is a new identity, it should be re-validated after 1h, 4h, 8h, 16h (up to a maximum). Additionally, you could let other validated users with aged accounts trigger a re-validation (with shared rate limits for a target domain).

The great thing about domains is that those of us that are good faith participants can build a ton of value on them and that value can be used as a signal for trustworthiness. The hard part is conveying that value to regular users in a way that's simple to understand.

We could also have systems that use some type of collateral attestation. For example, if I donate $1000 to the EFF, maybe I could attribute that donation to my domain 'example.com' and the EFF could attest to the fact that I've spent $1000 in the name of 'example.com'.

You probably have to gate that though some type of authority, but I can imagine a system where domain registrars could do that. I would love to buy reputation from my registrar by donating money to charity.

[immibis]

In the latter case, if you are the EFF, or any other recognized charity (and if you allow a lot of charities that's a lot of people) you can assign a trillion dollars to any domain you like, which is usually cited as a reason to avoid this type of system.

And if the EFF turns bad in the future you can't get a verification badge without supporting bad guys.

[HeatrayEnjoyer]

This is always true any time you have more than 1 human involved. People can always become corrupt and dishonest, and no technological solution will solve that.

[verdverm]

> you can solve a lot of problems with the idea of 'just add money'

You also create a lot of problems and break trust, see the recent US election for an example

One-size-fits-all solutions are always inferior to a system that enables multiple solutions to co-exist and which are forced to compete