The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
The trouble with what platforms like Twitter did was by trying to stick to some definition of important, they took what should be a mundane "yep, this is the person it looks like" icon and made it into a status symbol that everyone wanted. Twitter had a hard time defining the boundaries: Shouldn't they verify their most influential users even if they're not real world celebrities or public figures? What happens if someone who is verified says something that they don't like? How do you prevent corruption when you give other organizations special privileges for verification?
For Twitter and Instagram verification, people were bribing employees and getting verification just because they joined an organization (like an eSports team or a news organization.) This was not a good status quo.
Bluesky is probably headed towards the same problem if they try to be the bearer of who's important. Obviously, you can't verify any Joe Schmoe, but honestly you can just set a reasonable threshold based on their status in the platform for as to whether or not they should be eligible to get verification. When you do stuff like say "You should be able to be verified because you work for NYT", that's just weird. Being a journalist doesn't magically make you important, or mean that your posts will be worthy of greater consideration, yet that's what you're setting people up for when you make verification into a big ordeal like this, and it's the reason why Twitter would unverify people for e.g. having an opinion too far outside the Overton window. And using in-platform metrics to determine eligibility seems reasonable anyways... If you have like 10 followers, your verification status is utterly meaningless anyways.
I think if they want to solve the problem for journalists they should've verified the organizations and then made this separate from verifying individuals. Then accounts under that domain could just have some sort of special badge. This especially makes sense because otherwise you could literally just have your personal account become verified by having a couple month stint at the NYT or something, which is non-sensical.
https://www.turkishminute.com/2025/04/17/bluesky-restrict-ac...
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
Keybase got acquired back in 2020 and it's popularity -- at least among cypherpunks, seems to have dropped off.
feels like identity + trust systems keep coming back around but never quite stick. maybe too hard to balance usability, decentralization, and adoption all at once.
And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.
Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough
They got acquired by Zoom and promptly put Keybase into maintenance mode.
DNS for your average user is too complicated. Also what should the domain name be for a journalist at the NYT? What if they leave the NYT?
> DNS for your average user is too complicated.
In fact, I don't think I want most users verified. It then creates a reverse incentive where anonymous accounts are distrusted by default and too much trust is given to verification. An important part of a system with free speech and not governable (the point of distributed) is to be able to freely speak. Sometimes that means hiding your identity. Especially for those in countries or societies with particularly authoritarian rule. The best way to keep people quiet is to make them afraid of their neighbor.
> what should the domain name be for a journalist at the NYT?
> What if they leave the NYT?
Everyone has the bsky.social handle, so you revert. I'd even be happy if optional profiles could show former affiliations. But it doesn't seem like a big problem. I mean NYT shouldn't be verifying a journalist if that journalist is no longer at NYT. Their new employer should.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
This is what their users are looking for. They don't want complexity, they want to know who they're supposed to listen to.
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.
3. The OV requirement seems kind of hokey. There's no such thing as "worth registering as an LLC" — anything can be an LLC. You could have an LLC that just holds your dog's assets and call it Internal Revenue Service (LLC), assuming someone else hasn't already grabbed that name in your state, and that would be completely valid.
All of this would make it way too difficult to navigate verification for normal people, and I'm not convinced it would do anything to stop determinated bad actors.
Can't be that hard to have this
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
It's politics I can't avoid there, not pornography.
https://news.ycombinator.com/item?id=40298552#40298804
Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.
If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
greyface-•2h ago
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
hombre_fatal•2h ago
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.
Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.
The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.
righthand•1h ago
d4mi3n•1h ago
The WoT model works but as GPG has shown it requires your end users (people? BlueSky client developers?) to manage who they trust as an authority on anything.
godelski•34m ago
What was the problem with the current DNS system? I definitely think there could be improvements like displaying domain instead of TLD but still.
And why not move into a system like multiparty keys? Keys assigned by domain holder, need to be signed, and verified accounts must login with a private key that validates. That way you don't just get that the account is validated but the post is too. Yeah, this would require more technical expertise to do but the organizations we're usually most concerned about would have no problem with that. Besides, tooling gets easier when there's meaningful pushes to make it available to general audiences
verdverm•17m ago
derefr•1h ago
> For example, the New York Times can now issue blue checks to its journalists directly in the app. Bluesky’s moderation team reviews each verification to ensure authenticity.
dymk•1m ago
verdverm•20m ago
TiredOfLife•50m ago
mattl•33m ago
comeonbro•3m ago
https://techcrunch.com/2017/11/15/twitter-removes-verified-c...
Also not pictured: innumerable others who were never granted a blue check in the first place, despite being the verifiable accounts of journalists and public features.
It was a caste system.
fortran77•29m ago
What twitter starting doing was removing blue checks from people who were causing problems for the platform (but not behaving bad enough to kick off). This made no sense because people still needed to know if a person was who he claimed to be (e.g., Milo Yiannopoulos) even if the person was controversial or problematic or just plain nasty.
Blue Checks weren't "gutted". Now they just mean something else -- you're a premium subscriber.
wyclif•23m ago
tedunangst•2m ago