I got verified in the initial round of verification.
On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
Initially I just thought they verified people working at Bluesky, which made enough sense, but this initial batch seeming so arbitrarily decided isn't a good look. It feels all too similar to the "I know someone at Twitter" verification in the SF tech community.
It seems to me this feature would be much better if users could subscribe to verifiers the way they can labelers, perhaps with the official verifier subscribed by default. The current implementation feels centralized in a way that conflicts with BlueSky's stated goals.
It's great for preventing notable accounts from being impersonated, I spend a lot of time on Bluesky and impersonation of notable accounts has been a real pain, verification largely solves this problem and I'm very happy about it.
I wish it'd work like labelers and other moderation features: with users able to choose which verifiers to use. I trust the NYT as far as I can throw them when it comes to verification, for example, whereas I'd be interested in something flagging Bluesky employees or contributors to a given GitHub repository or whatever other bizarre things people would use this for like they already use labels.
In the core team's clients, if the 'verified' account changes its display-name and/or handle, does the blue check stay, disappear, or do some secret third thing?
> Bluesky’s moderation team reviews each verification to ensure authenticity.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.
Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.
The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.
Same as the current labeling/moderation service: any participant can verify any other participant. Which verifiers gets a check to appear is a property of the AppView.
If Bluesky becomes evil, you just configure your AppView not to trust their verifications.
Of course, that's the problem: right now we mostly have one AppView (bsky.app), which is the current SPOF in the mitigation plan against the "Bsky becomes the baddies" scenario.
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
What's missing from the blog announcement is that on the at protocol, anyone can publish a verification of any account. It is then up to each client to decide which verifiers to display / trust / etc.
With that in mind, it seems like bluesky is trying to thread the needle on providing tools for the community to do their own verification (via the protocol) while also making their own client "notable user" friendly (via blessed verifications that show blue checks).
I also don't see why it wouldn't be possible for someone to build a labeler that shows verifications from non-bluesky blessed sources. Then community members could subscribe to that labeler to get non-blessed verifications that they choose to show. It wouldn't show up as a blue check but it would still show up on the user's profile in bluesky.
It would look something like this existing "verification" labeler that doesn't use the underlying verification feature on the protocol but instead has to maintain the data in a 3rd party store: https://imgur.com/a/tXR4FUu
Additionally, third-party clients like Pinksky or Skylight could choose to show blue checks or whatever UI for any verifiers they choose. All the data is on the protocol now, so the 3rd party clients wouldn't need to do the verification themselves.
Human social trust works great at small scale. You go to Jim the butcher because everybody you know in town regularly goes to Jim the butcher and they know he's been making meat pretty well for a long time.
An automated version of this system might say "we verify anybody who at least N people within 3-4 steps of your followers graph are also following."
In a big city, you go to the store that's labeled "Butcher" and figure that, because the building is quite permanent and there's a lot of butchery stuff in there and it seems clean and there are people going in and out, then it's probably a fine butcher shop. No real "social" trust involved.
An automated version of this is probably domain checking, follower count, checking that N other 'verified' accounts follow it, some basic "is this a known malicious actor" checks, waiting until the account has some age, etc. Still kind of distributed, but not really relying on your own social trust metrics.
What's fun is that Bluesky allows you to implement both of those mechanisms yourself.
I don't see what the problem was with using domains. If you're trying to claim you work for NYT then get a NYT verified account?
And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.
Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough
Are there any good examples of a working "vouch" system? I vouch for a few friends, they vouch others, etc. But if my credibility is revoked, everyone downstream of me is either yanked or needs a new voucher.
Apps on ATProto get to decide for themselves. Another Bluesky client, or a completely different app, can make different choices. Users can then decide which interface they want to use. All part of the design of ATProto
IMO a system of "I vouch for these accounts" and "I trust the accounts these accounts vouch for, and the accounts those vouched for vouch for up to x levels deep" would be a workable solution.
I built handles.net[1] to make it easy for organisations to manage their member's handles, I think that using domain names for identity is neat and valuable, I have a vested interest in its success as a paradigm but... domain name "verification" is not the right solution today for non-technical people. I shared this sentiment a few months ago[2] and I have only become more confident in that assessment since.
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
> The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem.
That just leaves me wondering why they bothered with a new separate system instead of just using the existing label system. A "verified by bsky.social" or "verified by nyt.com" or whatever label would do the job perfectly well, no?
Yeah my initial reaction was not too positive. There's something weird to me about simply delegating verification to a third party organization. I'd prefer a more pure solution. Maybe we don't have a solution yet that is simple enough for widespread adoption. The domain based identity does seem a bit too complicated for the average user.
It’s ironic that many comments are skeptical of strong centralized moderation, but they’re posting these comments on a forum with perhaps the strongest and most centralized moderation team of the entire internet.
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
HN moderation is easy mode because it's a small site and politics is "banned". Trying to do HN-quality moderation of political discourse among millions of users seems impossible.
There are a lot of users that have complained about the s-banning on this site. While the moderation team of this site seems to be well-intentioned, it does inevitably lead to a very strong slant. S-banning users doesn't make them or their viewpoints go away. They just end up happening elsewhere.
Because those conversations do end up happening elsewhere, this site is famous for leaving readers with a strongly false impression of what viewpoints are actually popular among whatever you would want to call this Silicon Valley hacker / VC scene space.
The highly insidious thing about censorship is not only you don't know what you're not seeing but you don't know you're not seeing it -- you don't know what's missing.
This is better than twitters nonsensical verification but still does not close the loop all the way. I think what is needed are a set of equivalency verification's. Sort of like the domain verification used in getting a TLS certificate.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
So logically I would expect a protocol that allows cross domain verification. Best I can come up with is something that works sort of like domain verification extended to user@domain verification. that is, a better engineered version of "make a youtube video with the string 'unique uuid code' in the comment" so that we can verify you own that youtube account"
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
What you're proposing is reminiscent of Keybase's account verification system. You make a post or equivalent on each platform with cryptographic proof that it's you. (e.g here's mine for GitHub https://gist.github.com/ammaraskar/0f2714c46f796734efff7b2dd...).
> Additionally, through our Trusted Verifiers feature, select independent organizations can verify accounts directly.
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
It's the same as "Trusted flaggers" under the EU's DSA. Nobody trusts them. Just like when non-democratic countries call themselves "Democratic Republic".
Hamartia: The tragic flaw that takes the hero to the top will lead its downfall.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
You mean the kind of central authority that can censor accounts at the behest of a despotic government? Bluesky is not decentralized in any meaningful sense.
The appeal of Bluesky, initially, was that Twitter became a deranged platform. I doubt the average user is concerned with central authority insofar as intellectual and moral values inform the goings on. That, rather than centralization, is the problem with new Twitter, Truth Social, and the nihilist right-wing ecosystem more generally.
The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general. It sounds like it's the latter. If not it shouldn't be a blue check at all, it should just inform users that the account is associated with NYT.
News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.
I think I've seen this movie before and it doesn’t end with meaningful community trust. It ends with people paying for status, accounts impersonating others with a wink and a checkmark, and eventually, trust being eroded by the very signal designed to uphold it.
I'm not a bluesky user yet but in reading through the post I discovered a problem with their implementation of the ID verification.
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
The old blue checks were very useful as a way of knowing who was approved by the regime. So I sort of look forward to this, even if I still really struggle to even casually use bluesky.
If I was in a less charitable mood, I would categorize it as a misguided attempt at re-implementing previously failed ecosystem. But I am in charitable mood so allow me to say instead 'bold move. lets see if it pays off'.
Hey, I have this personal homepage. Available under a domain name. I trust myself, so I put a PNG of a blue check on it. If you don't trust me, I also have a blue check on my website that is put there by my best friend. Now you have to trust me. I guess I'm verified now, authenticated even.
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
One of the use cases of Old Twitter was official announcements from public figures and organizations. It is useful to know if the announcement that “life has been found on mars” from “NASA” is actually from the real National Aeronautics and Space Administration account.
The ability to put fake blue checks on your website isn't the point.
Bluesky (and the web at large) is slowly becoming filled with spam and AI-generated content. Even if you're OK with more spam (not sure why you would be but you do you), why would you be OK with more content generated by non-humans (the vast majority of which attempts to pass as human)? This just makes it harder to find needles of authentic human content in a haystack of slop.
Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer. Without any such verification, the web just becomes a bigger wasteland.
It seems like the main problem with verification is that everyone is conflating what verification is or is supposed to be.
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
Pardon the naive question, but could verification not be accomplished by requiring to tie a form of payment to an account? Eg, a CC or equivalent? Outsource the identity validation to other institutions (eg banks), and benefit from their deep investment into identity verification. Would that not work?
Good! I’ve been using a third-party labeller (which is a great hack), but making it more user friendly and official is a great thing.
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
I think the best way to look at things is to look at platforms that don't and have really never had issues with verification to begin with. An oddly good example is YouTube, which has a verification feature that's so uneventful and drama-free I reckon a lot of people hardly even notice it. Even fairly small scale musicians and creators, at least relatively speaking, can have verification symbols. (Of course, there can be issues with e.g. account takeovers and people changing their name/icon to try to fool you, but that's not really a problem with the verification process itself.)
The trouble with what platforms like Twitter did was by trying to stick to some definition of important, they took what should be a mundane "yep, this is the person it looks like" icon and made it into a status symbol that everyone wanted. Twitter had a hard time defining the boundaries: Shouldn't they verify their most influential users even if they're not real world celebrities or public figures? What happens if someone who is verified says something that they don't like? How do you prevent corruption when you give other organizations special privileges for verification?
For Twitter and Instagram verification, people were bribing employees and getting verification just because they joined an organization (like an eSports team or a news organization.) This was not a good status quo.
Bluesky is probably headed towards the same problem if they try to be the bearer of who's important. Obviously, you can't verify any Joe Schmoe, but honestly you can just set a reasonable threshold based on their status in the platform for as to whether or not they should be eligible to get verification. When you do stuff like say "You should be able to be verified because you work for NYT", that's just weird. Being a journalist doesn't magically make you important, or mean that your posts will be worthy of greater consideration, yet that's what you're setting people up for when you make verification into a big ordeal like this, and it's the reason why Twitter would unverify people for e.g. having an opinion too far outside the Overton window. And using in-platform metrics to determine eligibility seems reasonable anyways... If you have like 10 followers, your verification status is utterly meaningless anyways.
I think if they want to solve the problem for journalists they should've verified the organizations and then made this separate from verifying individuals. Then accounts under that domain could just have some sort of special badge. This especially makes sense because otherwise you could literally just have your personal account become verified by having a couple month stint at the NYT or something, which is non-sensical.
No, it's the best example of how after you take a bunch of VC money you won't ever give up an iota of control or ability to rugpull, no matter what the original purpose of your organization was.
Shouldn't there be some kind of points-system to the verification?
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
Bluesky is riddled with pornography, even with the strictest settings enabled. I genuinely don’t feel comfortable scrolling any of the curated feeds in a public place except for my direct “Following” only feed.
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
That hasn't been my experience with it, and I'm curious as to what usage pattern gets that result other than intentionally following accounts that post pornography. My account that follows and posts tech and general interest stuff gets tech stuff and politics in its discover feed. My account that posts bird photography and follows photographers gets photographs of animals and landscapes, and politics in its discover feed.
It's politics I can't avoid there, not pornography.
I'm not sure what is being verified here. Except that the someone has access to a bluesky handle and a DNS record.
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
If you contextualize this as a form of limiting the power and reach of bots, and you avoid going down the rabbit hole of speech and censorship, then this move is actually a very clever way of scaling that out.
Trust is always going to be a game of cat and mouse, and this seems like just another move.
<checks Twitter development timeline> Yep, right on schedule.
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
The lack of domain-based verification among organizations is indeed bewildering. Surely these orgs have IT departments, right? Even the most junior of help desk techs should be able to figure out how to create a TXT record and paste in the gobbledegook that Bluesky provides to link that to an account.
If these orgs don't have IT departments, then, well, pay me $20 and I'll do it for you.
What’s the value in verification, exactly? Seems like a solution to a problem that doesn’t exist. Do non-idiots really get confused into thinking Jack Dorsey’s account is someone pretending to be Jack Dorsey?
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
> Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
It was if you were a regular, non-technical user or not terminally on Twitter.
Given usernames-as-domains, is there a reason to not just piggyback this on the X.509 web of trust?
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.
3. The OV requirement seems kind of hokey. There's no such thing as "worth registering as an LLC" — anything can be an LLC. You could have an LLC that just holds your dog's assets and call it Internal Revenue Service (LLC), assuming someone else hasn't already grabbed that name in your state, and that would be completely valid.
All of this would make it way too difficult to navigate verification for normal people, and I'm not convinced it would do anything to stop determinated bad actors.
BlueSky users are already kind of doing this. Members of the US House and Senate tend to use their .house.gov/.senate.gov domains as usernames, which is a very trustworthy signal that the account is legitimate.
They can justify it however they want to all day long, but we've got enough real-world examples of verification to show that its core use isn't about protecting users, but about authorizing acceptable speech on a platform and protecting advertisers.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
steveklabnik|10 months ago
On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check
* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
joshuaturner|10 months ago
Zak|10 months ago
0x0boo|10 months ago
yellowapple|10 months ago
throwaway642012|10 months ago
I’m on Bsky as well but haven’t seen any such updates.
gojomo|10 months ago
greyface-|10 months ago
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
hombre_fatal|10 months ago
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.
Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.
The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.
snotrockets|10 months ago
If Bluesky becomes evil, you just configure your AppView not to trust their verifications.
Of course, that's the problem: right now we mostly have one AppView (bsky.app), which is the current SPOF in the mitigation plan against the "Bsky becomes the baddies" scenario.
tedunangst|10 months ago
ajb|10 months ago
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
healsdata|10 months ago
With that in mind, it seems like bluesky is trying to thread the needle on providing tools for the community to do their own verification (via the protocol) while also making their own client "notable user" friendly (via blessed verifications that show blue checks).
I also don't see why it wouldn't be possible for someone to build a labeler that shows verifications from non-bluesky blessed sources. Then community members could subscribe to that labeler to get non-blessed verifications that they choose to show. It wouldn't show up as a blue check but it would still show up on the user's profile in bluesky.
It would look something like this existing "verification" labeler that doesn't use the underlying verification feature on the protocol but instead has to maintain the data in a 3rd party store: https://imgur.com/a/tXR4FUu
Additionally, third-party clients like Pinksky or Skylight could choose to show blue checks or whatever UI for any verifiers they choose. All the data is on the protocol now, so the 3rd party clients wouldn't need to do the verification themselves.
CobrastanJorji|10 months ago
An automated version of this system might say "we verify anybody who at least N people within 3-4 steps of your followers graph are also following."
In a big city, you go to the store that's labeled "Butcher" and figure that, because the building is quite permanent and there's a lot of butchery stuff in there and it seems clean and there are people going in and out, then it's probably a fine butcher shop. No real "social" trust involved.
An automated version of this is probably domain checking, follower count, checking that N other 'verified' accounts follow it, some basic "is this a known malicious actor" checks, waiting until the account has some age, etc. Still kind of distributed, but not really relying on your own social trust metrics.
What's fun is that Bluesky allows you to implement both of those mechanisms yourself.
godelski|10 months ago
And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.
Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough
TheJoeMan|10 months ago
verdverm|10 months ago
dbbk|10 months ago
Akronymus|10 months ago
unknown|10 months ago
[deleted]
shrink|10 months ago
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
yellowapple|10 months ago
That just leaves me wondering why they bothered with a new separate system instead of just using the existing label system. A "verified by bsky.social" or "verified by nyt.com" or whatever label would do the job perfectly well, no?
adityavinodh|10 months ago
Retr0id|10 months ago
They didn't really give up, though - the domain verification still stands and is just as powerful as ever.
sillysaurusx|10 months ago
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
wmf|10 months ago
DevOps72|10 months ago
Because those conversations do end up happening elsewhere, this site is famous for leaving readers with a strongly false impression of what viewpoints are actually popular among whatever you would want to call this Silicon Valley hacker / VC scene space.
The highly insidious thing about censorship is not only you don't know what you're not seeing but you don't know you're not seeing it -- you don't know what's missing.
somat|10 months ago
Something like
So logically I would expect a protocol that allows cross domain verification. Best I can come up with is something that works sort of like domain verification extended to user@domain verification. that is, a better engineered version of "make a youtube video with the string 'unique uuid code' in the comment" so that we can verify you own that youtube account"The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
ammar2|10 months ago
toss2025away|10 months ago
jeswin|10 months ago
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
dvrj101|10 months ago
read again, slowly perhaps about first layer of verification.
sunaookami|10 months ago
ndjeosibfb|10 months ago
there’s nothing surprising about this
DecentShoes|10 months ago
[deleted]
FlyingSnake|10 months ago
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
We’re truly in the post-social media age.
throwawa14223|10 months ago
senderista|10 months ago
https://www.turkishminute.com/2025/04/17/bluesky-restrict-ac...
arghandugh|10 months ago
vehemenz|10 months ago
paxys|10 months ago
Robotbeat|10 months ago
trompetenaccoun|10 months ago
News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.
kristianc|10 months ago
doodlebugging|10 months ago
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
mattl|10 months ago
mhh__|10 months ago
SV_BubbleTime|10 months ago
Trend.
I mean, what even are network effects!?
blotfaba|10 months ago
A4ET8a8uTh0_v2|10 months ago
rambambram|10 months ago
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Am I missing something?
stdclass|10 months ago
mastax|10 months ago
kmoser|10 months ago
The ability to put fake blue checks on your website isn't the point.
Bluesky (and the web at large) is slowly becoming filled with spam and AI-generated content. Even if you're OK with more spam (not sure why you would be but you do you), why would you be OK with more content generated by non-humans (the vast majority of which attempts to pass as human)? This just makes it harder to find needles of authentic human content in a haystack of slop.
Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer. Without any such verification, the web just becomes a bigger wasteland.
aboardRat4|10 months ago
Internet was intended to be anonymous.
preciousoo|10 months ago
benwilber0|10 months ago
steveklabnik|10 months ago
wilg|10 months ago
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
JSteph22|10 months ago
If it's only for notable people, then it is a sort of club.
btbuildem|10 months ago
NoTeslaThrow|10 months ago
Maybe people trying to protect their "brand"? Is there really that much demand for branded content?
pityJuke|10 months ago
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
jchw|10 months ago
The trouble with what platforms like Twitter did was by trying to stick to some definition of important, they took what should be a mundane "yep, this is the person it looks like" icon and made it into a status symbol that everyone wanted. Twitter had a hard time defining the boundaries: Shouldn't they verify their most influential users even if they're not real world celebrities or public figures? What happens if someone who is verified says something that they don't like? How do you prevent corruption when you give other organizations special privileges for verification?
For Twitter and Instagram verification, people were bribing employees and getting verification just because they joined an organization (like an eSports team or a news organization.) This was not a good status quo.
Bluesky is probably headed towards the same problem if they try to be the bearer of who's important. Obviously, you can't verify any Joe Schmoe, but honestly you can just set a reasonable threshold based on their status in the platform for as to whether or not they should be eligible to get verification. When you do stuff like say "You should be able to be verified because you work for NYT", that's just weird. Being a journalist doesn't magically make you important, or mean that your posts will be worthy of greater consideration, yet that's what you're setting people up for when you make verification into a big ordeal like this, and it's the reason why Twitter would unverify people for e.g. having an opinion too far outside the Overton window. And using in-platform metrics to determine eligibility seems reasonable anyways... If you have like 10 followers, your verification status is utterly meaningless anyways.
I think if they want to solve the problem for journalists they should've verified the organizations and then made this separate from verifying individuals. Then accounts under that domain could just have some sort of special badge. This especially makes sense because otherwise you could literally just have your personal account become verified by having a couple month stint at the NYT or something, which is non-sensical.
mpalmer|10 months ago
pessimizer|10 months ago
galaxyLogic|10 months ago
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
nout|10 months ago
thunkingdeep|10 months ago
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
Zak|10 months ago
It's politics I can't avoid there, not pornography.
baxuz|10 months ago
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
uwemaurer|10 months ago
A high score usually indicates a trusted account. Check it out here: https://bluefacts.app/top
jarjoura|10 months ago
Trust is always going to be a game of cat and mouse, and this seems like just another move.
jamesfisher|10 months ago
Is this not still a top-down system, just with one level of indirection?
Something not-top-down might look more like the web-of-trust model.
Edmond|10 months ago
https://news.ycombinator.com/item?id=40298552#40298804
Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.
If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)
zero0529|10 months ago
unknown|10 months ago
[deleted]
ChrisArchitect|10 months ago
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
yellowapple|10 months ago
If these orgs don't have IT departments, then, well, pay me $20 and I'll do it for you.
gus_massa|10 months ago
Can a country I don't like verify it's president that I don't like neither?
Prime minister? Members of the Senate? All citizens? Their own bot farm?
NullPointerWin|10 months ago
ChrisArchitect|10 months ago
haha
thuanao|10 months ago
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
robertlagrant|10 months ago
It was if you were a regular, non-technical user or not terminally on Twitter.
SV_BubbleTime|10 months ago
Tireings|10 months ago
Can't be that hard to have this
derefr|10 months ago
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
rafram|10 months ago
2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.
3. The OV requirement seems kind of hokey. There's no such thing as "worth registering as an LLC" — anything can be an LLC. You could have an LLC that just holds your dog's assets and call it Internal Revenue Service (LLC), assuming someone else hasn't already grabbed that name in your state, and that would be completely valid.
All of this would make it way too difficult to navigate verification for normal people, and I'm not convinced it would do anything to stop determinated bad actors.
[1]: https://chaos.social/@jonty/110307532009155432
giaour|10 months ago
egberts1|10 months ago
Not a good look.
stego-tech|10 months ago
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
pessimizer|10 months ago
This is what their users are looking for. They don't want complexity, they want to know who they're supposed to listen to.
uriegas|10 months ago
[deleted]
unknown|10 months ago
[deleted]
unknown|10 months ago
[deleted]