(no title)

> domain names are owned

Are they really owned? I’ve always thought they’re [f]actually merely temporarily leased from a registry, and the ownership is just a legal fiction.

Unlike cryptographic keys, I don’t think domain names really pass the “can they be taken away without owner’s consent?” test. On paper maybe they should, but that’s certainly not how it is in reality.

Attaching digital identity to something that comes from a third party (a registry) rather than individual themselves is a fundamentally wrong idea.

    urn:fdc:domain-i-controlled-in-2022.com:202212:resource:fred

There is an amount of legitimacy to the domain issue, at least to me if one considers how certain phishing attempts leverage human (lack of) observation patterns. Like if someone had a bunch of identities under goog1e.com

I see having independent, from Bluesky, and multiple methods of verification as a strength of the network and architecture.

> A lot of people do not want to look at and understand domain names, instead they want to see a name and a check mark. They want a central authority to tell them who is trustworthy and who is not. Domain names are a great solution for technology-adjacent people and I hope that they become more widely accepted, but I'm not too optimistic.

As with most things of moderate import or more, the vibes matter.

Setting up your own domain is pretty simple, but it is also daunting for people their first time.

Even with all the hand holding in the world, without 1:1 human interaction most people won't make that jump.

As a user, I'm mostly fine with making an account with Google or Meta and using that as my identity root. I know there are a lot of problems with that, for example you can lose your account, but you have all the same problems with a different party that registers domains. Besides, the domain model is more complicated and I've had domains lapse, had problems with transferring, and so on.

What I'd want is:

1. register with some trustworthy third party (be it Google, Bluesky, or whoever), get an identity (can be a domain, but an entry in a database is fine)

2. have the option to craft an identity from thin air (by generating a key pair on my laptop)

3. have the option to move between 1. and 2. or between multiple instances of 1. (identity takeout)

4. (bonus) have the option to create sub-identities: I can register a completely new pseudonymous account, but have some (cryptographic) proof that this identity has certain properties: it is tied to a Google employee, to a woman, to someone with > 10.000 Stackexchange score ... without anybody being able to link that account to the person.

I think 1 and 2 are solved, 3 is quite tricky from a UX perspective, and 4 is going to be really hard (but would enable a lot of cool scenarios).

I don't even think it's the technical barriers per se that makes people distrust domain names as a form of verification. I think the idea of competing sources of truth creates some uncomfortable cognitive dissonance for a large number of people which drives the demand you identified for a central authority.

Someone should tell these people about Keybase.

someone should just buy bsky.nyc and sell subdomains for people that have Real IDs with a NYC address, then my handle could be @jazzyjackson.bsky.nyc and anyone who knows about the system then could trust I'm using my government name and that I'm not a russian bot.

But yeah I was disappointed with the lack of adoption there. The CEO of the onion is a prolific poster and has to deal with scambots but can't be bothered to use onion.com in his handle

The platform owners have spent two decades de-emphasizing domains, so it's not too surprising that most people struggle to understand how they work. I think that can change with education and awareness if domains as identity start to catch on. It just takes time.

For now, I think wider adoption of things like DomainConnect [1] would make a difference. It works really well to set up an MS365 account with DNS hosted at Cloudflare, but it would need a workflow that supports sending requests to your DNS admin rather than assuming everyone is a DNS admin.

> A lot of people do not want to look at and understand domain names, instead they want to see a name and a check mark. They want a central authority to tell them who is trustworthy and who is not.

I think 'trustworthy' is a key word there and would add that I think a lot of regular people conflate identity verification with moderation. It's important to keep those separate because as soon as an identity system becomes a moderation system, it's worthless.

That's what makes domains so great for identity, especially with the way the AT protocol works. It helps to create a clear separation between identity verification and moderation. Moderation is much harder than identity verification, so having a clear line between the two should make it easier to develop technical systems that perform identity verification.

For pure identity verification, I think BIMI [2] is sitting on a solution they don't even realize they have. They're too tunnel visioned on email verification, but the system they've built with VMC (verified mark certificates) works as a decentralized system of logo verification. For example, I can tell you this logo [3] is trademarked and owned by 'cnn.com' and I can do it via technical means starting with the domain name:

    dig default._bimi.cnn.com TXT

Seeing a 3rd party URL in the TXT value makes me think the implementation is weak since that would be better as a CNAME pointing to a TXT record managed by a 3rd party, but I've never looked into the details enough to know if it'll follow CNAMEs (like ACME or DKIM do).

Also, the VMCs are only good for high value brands because CNN is paying DigiCert $1600 / year for the certificate, but, since it's just PKI, it allows anyone to put up that logo with a verified badge on the @cnn.com identity. A more accurate badge would be the registered trademark symbol [4].

Even though that only works for high value brands that own a logomark, it works extremely well and would be a great start to a system that's easier for the average person to understand because logos are a simpler concept than something abstract like domains and no one is spending the time and effort needed to get a fake VMC (if it's even possible).

The Bluesky implementation for domain verification has a long way to go though. It's very naive at the moment and doesn't even do a proper job of dealing with changes in domain ownership. In fact, almost everyone doing domain validation is doing it wrong because very few implementation do re-validation from what I've seen.

1. https://www.domainconnect.org/

2. https://bimigroup.org/

3. https://amplify.valimail.com/bimi/time-warner/I0vDrJpkRnB-ca...

4. https://en.wikipedia.org/wiki/Registered_trademark_symbol

> instead they want to see a name and a check mark

How is that remotely surprising?

Most famous people are not known by domain names. Most are known by their real names. Some are known by usernames on particular services, like MrBeast on YouTube or dril on Twitter.

Maybe, if Bluesky stays popular, a new crop of Internet-famous people will be known by their domain names. But even then, you're probably not going to remember whether they're foo.com or foo.io or foo.bsky.social.

Some people, mostly in tech, do have well-known personal websites hosted at their own domains – but I for one rarely remember the specific domains, because I'm used to finding websites through search. (Off the top of my head I can only think of cr.yp.to.)

Companies are more likely to have websites and well-known domains, so there's that, but most social media users are individuals.

Besides, domain names are not more owned than Twitter handles or any other kind of username. If anything, they're less owned. When Elon Musk stole some people's Twitter handles, it was (tech) news. The expectation with most services is that you can register a name and hold onto it forever for free; at worst it might be lost if you're totally inactive for a long time. Meanwhile, domains require yearly payment. Once they expire, they're often instantly snapped up by a bot with no way for the original owner to get them back.

So in practice, people lose their personal domains all the time. Less common for companies, but companies do tend to let their names expire when they go out of business. Just the other day there was a front-page post about using this to hijack people's identities. [1]

Domain names can also be taken away for trademark infringement (UDRP) or by a court for other legal reasons (e.g. pirate sites often have their domains seized). Domains can be lost for political reasons, as with .af domains suspended last year [2] following the change of government in Afghanistan (originally thought to be caused by the message expressed by the names, in reality caused by payment issues resulting from economic sanctions, but either way happening for political reasons). You even have situations like .io where millions of domains might disappear in one stroke (though it probably won't actually happen).

[1] https://trufflesecurity.com/blog/millions-at-risk-due-to-goo...

[2] https://www.reuters.com/technology/brokeaf-goes-offline-afgh...

(Feeling a little agitated today)

I suspect the average person believes "paying for services" = "slavery" and "free as in beer" = "freedom" and would, if pressed, would rather give their life than change that belief.