I wonder what the UX for that would look like. I doubt this can or even should be something displayed in-stream like the Twitter verified badge, because with custom emojis, the display name area is absolutely untrustworthy. More than that, the presence of a verified link is meaningless unless you trust the linked site (such as someone's official personal homepage)
So it would probably be something only displayed next to those links.
Okay I didn't mention what the "special attribute" was because I didn't want to alienate the non-dev audience, but I'm getting a lot of suggestions for complicated things, so yeah, I meant microformats rel="me", it's the simplest thing, why would you even bother with TXT records or public keys
@dotUser @Gargron login/account/identity schemes frequently conflate identity, security, privacy and authority. they are very much not the same concerns and persisting in 2018 to use rocks to try and drive in screws looks ridiculous. a random number (which is all a pubkey is when you’re not using it to do work) doesn’t prove anything that a rel=“me” link doesn’t.
@zensaiyuki @dotUser While I am for rel=me based verification, public key based verification is not just putting your public key somewhere. You generate a signature of the link with your private key you never upload anywhere, and put that on that link, and clients confirm this signature matches up with your public key. No one else can replicate that.
@Gargron @dotUser that actually proves less than the rel=“me” scheme- it proves you have a particular private key, which is useful given a number of complicated prerequisites most people won’t bother with. rel=“me” proves you have access to modify that website.
of course, your private key can be stolen and your website can be hacked, or modified by someone who works in your website for you.
@Gargron @dotUser so is the actual goal to prevent someone from impersonating a celebrity, journalist or politician? or just any joe shmo. the real question is how much proof of identity is sufficient for the actual goal at hand. in the case of the twitter verified mark- the point of contention is that public remarks by public figures, if taken as genuine, have potentially serious consequences.
@Gargron If you're talking about domain 'txt' records, I don't know that that would be realistic enough, it's very easy to fake those. I suggest a third party service which can verify a user's identity and confirm it for you. I'm looking now to see if I can find something like that.
@Gargron It sounds like you could build support for a dedicated "also me" field, where users can paste links to any web page that contains a parseable `rel="me"` microformatted link... or perhaps otherwise links to your mastodon profile in plaintext? i don't think you can e.g. insert rel-me links into Twitter or Facebook; at the same time, this could still easily be emulated by custom profile fields already right now if you expect users to manually check the "proof" linked.
@Gargron Tweetbot puts the verified badge over the user’s icon in a way that can’t be spoofed, rather than relying on the display name area. It would probably require framing icons with an outline so it’d be more obvious if someone were trying to get cute. Combine with making the badge link to the authenticating page, and making it a separate field in the profile with its own format (maybe a plain link that spans both columns of the custom labels area)?
@Gargron we discussed this a LOT last week; the general idea is that the links in the profile would be marked as verified.
Should give you some reading...
Verifying could be up to the mods to check and organize
@Gargron this sounds a lot like keybase's proof system. It might be worth looking into seeing if there's a way to do generate and log arbitrary proofs through it. It has the advantage of the robustness of public key/private key signing but abstracts the creation and management of keys away so the average user would be able to use.
Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!