this post was submitted on 19 Apr 2025
726 points (95.7% liked)

Technology

69109 readers
3242 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
726
Angry, disappointed users react to Bluesky's upcoming blue check mark verification system (www.neowin.net)
submitted 3 days ago by cyrano@lemmy.dbzer0.com to c/technology@lemmy.world
201 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] sugar_in_your_tea@sh.itjust.works 27 points 1 day ago (2 children)

The checkmark is the wrong approach. You should never trust accounts, because accounts get hacked. We should instead use cryptographic signatures on individual posts, and clients can warn when that signature doesn't match the account's public key, or if that key changed recently. The private key would never live on the server, and ideally live outside the app.

This doesn't verify identity, it just proves the key didn't change. To establish identity, the person needs to use the same key in multiple places, such as posting it on a personal website or something. If a service wants to add their own stamp of approval, they can sign these public keys and embed them into the apl for clients to use (e.g. show a blue checkmark if Bluesky can verify the public key outside its system).

If the private key is compromised, repeat the process, potentially signing the new key with both the old and new key to prove control of both (or start from scratch if needed). Repeat whenever they get hacked.

[–] Yoga@lemmy.ca 6 points 1 day ago

Average user:

"Wait how do I get cryptocurrency with my key?"

[–] AHamSandwich@lemmy.world 4 points 1 day ago (1 children)

This is a great idea.

[–] sugar_in_your_tea@sh.itjust.works 5 points 1 day ago

It's also not new. GPG has been around for decades, and is pretty much this.