A new form of verification on Bluesky
143 comments
·April 21, 2025steveklabnik
yellowapple
I wish it'd work like labelers and other moderation features: with users able to choose which verifiers to use. I trust the NYT as far as I can throw them when it comes to verification, for example, whereas I'd be interested in something flagging Bluesky employees or contributors to a given GitHub repository or whatever other bizarre things people would use this for like they already use labels.
steveklabnik
What's good is that the technical design here allows them to pivot into that if they choose, and alternative clients can already do that if they wish.
Zak
It seems to me this feature would be much better if users could subscribe to verifiers the way they can labelers, perhaps with the official verifier subscribed by default. The current implementation feels centralized in a way that conflicts with BlueSky's stated goals.
steveklabnik
I'd agree that would be nice, but at least they can change into that in the future if they want.
Hilariously, it's kind of less centralized than I expected: there's no "Bluesky is the web of the root of trust" here, only "Bluesky chooses which records convert to UI" which leaves the whole system open for others.
joshuaturner
Initially I just thought they verified people working at Bluesky, which made enough sense, but this initial batch seeming so arbitrarily decided isn't a good look. It feels all too similar to the "I know someone at Twitter" verification in the SF tech community.
steveklabnik
Some employees aren't even verified!
I hear you. I haven't investigated every account that got the badge, but it feels to me like they picked people who are both technical and engaged with the protocol, so not entirely arbitrary. That naturally will have some correlation with "I know someone at bsky". I know I've seen accounts that I think are cooler than I am who didn't get verified yet! I'm sure they'll be expanding soon, which will dilute this sort of association.
FlyingSnake
Unfortunately that’s how I’m beginning to see this too, a sign of old school nepotism and struggle to regain lost status. We’ve seen how this unfolded for Twitter.
throwaway642012
Do you have any insight on how was this initial batch of verified users selected?
I’m on Bsky as well but haven’t seen any such updates.
steveklabnik
I have no real insight. I do know that I am a big fan of Bluesky/atproto and post about it fairly regularly, and enjoy being friendly with the devs. They verified just over 200 accounts, and most of them are news organizations and their employees, and the rest are programmers who regularly use the site and/or engage with the protocol.
I think this makes sense, because 1. most people want this sort of feature for news and 2. the kinds of people they verified technically are likely to play around with it and see how sound it is, which is who I'd want to be kicking the tires.
I'm not sure when they'll verify more people, but this is only the beginning, for sure.
greyface-
> Bluesky’s moderation team reviews each verification to ensure authenticity.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
hombre_fatal
I don't see how it's incompatible.
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.
Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.
The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.
righthand
What’s stopping me from making an org that hands out verifications to anyone?
steveklabnik
Nothing: anyone can hand out verifications to anyone they'd like.
Now, how those are displayed is up to the display software. BlueSky themselves get to decide who gets a blue check based on verification records, but if you wrote your own software, you could do whatever you'd like. There's a bsky fork that already has an account option to let you hide blue checks in your own view.
derefr
Bluesky's moderators, apparently.
> For example, the New York Times can now issue blue checks to its journalists directly in the app. Bluesky’s moderation team reviews each verification to ensure authenticity.
d4mi3n
Presumably a contractual agreement with BlueSky. Trust needs to stem from somewhere, so you’re either looking at a web-of-trust model where somebody (BlueSky or BlueSky clients) makes decisions on what sign-offs to trust, or you trust BlueSky to perform due diligence on partner orgs that provide this service and to hold them accountable when that trust is breached.
The WoT model works but as GPG has shown it requires your end users (people? BlueSky client developers?) to manage who they trust as an authority on anything.
verdverm
Nothing, however AppViews like Bluesky decide which verifiers they trust. An AppView could also allow for user choice, like how algos and moderation work.
fortran77
The problem I had with twitter was the check was supposed to mean one thing and one thing only: that the person was who he or she claimed to be.
What twitter starting doing was removing blue checks from people who were causing problems for the platform (but not behaving bad enough to kick off). This made no sense because people still needed to know if a person was who he claimed to be (e.g., Milo Yiannopoulos) even if the person was controversial or problematic or just plain nasty.
Blue Checks weren't "gutted". Now they just mean something else -- you're a premium subscriber.
wyclif
This is absolutely correct—I remember quite clearly how it all went down. When Twitter first rolled out verification, it was supposed to ensure that the person you were following or interacting with was the person they claimed to be.
NelsonMinar
The problem is that X (formerly Twitter) is still calling blue checks "verified". Even though nothing about the account is verified. It's deliberately misleading.
TiredOfLife
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that verification badges were merit and nepotism and not identity based
mattl
That’s not true though. They were for journalists and public figures.
ein0p
Why is it "meaningless overnight" on Twitter? Twitter knows who you are if you're paying them montly. Ergo, you are "verified".
tedunangst
What happens when the government of Turkey objects to your verification?
wmf
Coming soon from Bluesky: per-country verification.
yellowapple
That'd certainly be a neat feature: national/regional/local governments running their own verifier accounts and providing Bluesky/ATproto verification to their residents.
ajb
Not convinced by this.
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
TheJoeMan
Are there any good examples of a working "vouch" system? I vouch for a few friends, they vouch others, etc. But if my credibility is revoked, everyone downstream of me is either yanked or needs a new voucher.
fp64
A long time ago there was this “web of trust”, I don’t think it exists anymore. Was one of the big CA and you could get different certificates through some form of vouching, I think it even went as far as meeting people to show your ID and then they sign you or something. As it was run by a big CA, not really distributed but IIRC they kept their involvement minimal. It’s been a long time but if you’re curious maybe look into that
runjake
It might have been Keybase?
Keybase got acquired back in 2020 and it's popularity -- at least among cypherpunks, seems to have dropped off.
duskwuff
CACert.org, but they were never included in any major trust store.
aunetx
There is a p2p social network (as in, people offering there services whatsoever) in France that does exactly this: it's called "Gens de confiance". It works well, although it creates kind of a gated community (as intended: it is mainly meant for upper-class social circles).
benwilber0
My initial thought is about GPG's "Web of Trust" system for trusting strangers' keys. But I don't know if that's a very good example since it always seemed somewhat esoteric and maybe not very successful in general.
giaour
"Working" would be a stretch, but this is how "web of trust" systems like PGP are supposed to function. Although I would say the BlueSky system sounds like it could skirt some of the pitfalls of web of trust because verifiers can also be trusted to revoke verification.
jsheard
I think the more exclusive private torrent trackers usually work on that basis.
paulsutter
Google Pagerank
Could use follows, retweets, etc instead of page links
godelski
ArXiV. Though they don't revoke papers that way
Akronymus
IMO a system of "I vouch for these accounts" and "I trust the accounts these accounts vouch for, and the accounts those vouched for vouch for up to x levels deep" would be a workable solution.
godelski
I don't see what the problem was with using domains. If you're trying to claim you work for NYT then get a NYT verified account?
And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.
Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough
steveklabnik
> If you're trying to claim you work for NYT then get a NYT verified account?
Part of the problem here is consistent identity over time. People do not like changing their handles unless they want to. I'm steveklabnik.com now, but if I started working at the NYT, and had to switch to steveklabnik.nyt.com, old links break to my posts, etc. And what happens if I want to be verified by more than one org at a time? Domains (at present) can't do that.
godelski
> old links break to my posts
> People do not like changing their handles unless they want to
> what happens if I want to be verified by more than one org at a time?
Second off, I agree that this is a desirable thing to have. It is why I was suggesting something similar to keybase (keyoxide?) or attribute keys. It definitely seems like Bluesky is intending to do something similar to the attribute keys but there's some details lacking and seems like an existing verified user needs to vet an entity prior to their ability to distribute keys. I'd also be quite happy if there was a publicly visible ledger so one could see former verifications (it's all visible via the firehose anyways, right?).
[0] And there's the classic problem on typing "@" and then the person's name and not actually finding them because the search system is fucked up and is looking for the address handle. I've seen this on both sites, more frequently twitter, and even when typing the address handle directly. Apparently this is a harder problem than I'd have thought (particularly replying to someone in the thread...)
yellowapple
This seems like a perfect use case for `alsoKnownAs` being an array (which is already the case AFAICT). My primary handle (i.e. the first entry in the array) would still be @yellowapple.us, but with secondaries under the domains of affiliated orgs.
9283409232
I feel like this could be solved with organizations like Github. Steveklabnik.com can belong to the NYT umbrella org. Like on Github, you can either be kicked out or leave the org if you wish.
detectd
> And whatever happened to Keybase?
They got acquired by Zoom and promptly put Keybase into maintenance mode.
mattl
> I don't see what the problem was with using domains.
DNS for your average user is too complicated. Also what should the domain name be for a journalist at the NYT? What if they leave the NYT?
godelski
> DNS for your average user is too complicated.
In fact, I don't think I want most users verified. It then creates a reverse incentive where anonymous accounts are distrusted by default and too much trust is given to verification. An important part of a system with free speech and not governable (the point of distributed) is to be able to freely speak. Sometimes that means hiding your identity. Especially for those in countries or societies with particularly authoritarian rule. The best way to keep people quiet is to make them afraid of their neighbor.
> what should the domain name be for a journalist at the NYT?
> What if they leave the NYT?
Everyone has the bsky.social handle, so you revert. I'd even be happy if optional profiles could show former affiliations. But it doesn't seem like a big problem. I mean NYT shouldn't be verifying a journalist if that journalist is no longer at NYT. Their new employer should.
dbbk
Ironically, Twitter's mechanism of auto-verifying anyone over 1M followers kind of achieves this.
verdverm
Apps on ATProto get to decide for themselves. Another Bluesky client, or a completely different app, can make different choices. Users can then decide which interface they want to use. All part of the design of ATProto
null
shrink
I built handles.net[1] to make it easy for organisations to manage their member's handles, I think that using domain names for identity is neat and valuable, I have a vested interest in its success as a paradigm but... domain name "verification" is not the right solution today for non-technical people. I shared this sentiment a few months ago[2] and I have only become more confident in that assessment since.
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
yellowapple
> The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem.
That just leaves me wondering why they bothered with a new separate system instead of just using the existing label system. A "verified by bsky.social" or "verified by nyt.com" or whatever label would do the job perfectly well, no?
steveklabnik
I would have liked to have seen a justification for this as well. One thing about labels is that they can apply on a per-post granularity as well as a per-account granularity, but verification is purely account-level. Another is that they have slightly different semantics, you can lose your blue check if you change your handle or display name, but labels stay the same no matter what. That's probably the real justification for making it its own feature.
adityavinodh
Yeah my initial reaction was not too positive. There's something weird to me about simply delegating verification to a third party organization. I'd prefer a more pure solution. Maybe we don't have a solution yet that is simple enough for widespread adoption. The domain based identity does seem a bit too complicated for the average user.
somat
This is better than twitters nonsensical verification but still does not close the loop all the way. I think what is needed are a set of equivalency verification's. Sort of like the domain verification used in getting a TLS certificate.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
ammar2
What you're proposing is reminiscent of Keybase's account verification system. You make a post or equivalent on each platform with cryptographic proof that it's you. (e.g here's mine for GitHub https://gist.github.com/ammaraskar/0f2714c46f796734efff7b2dd...).
toss2025away
keybase.io
FlyingSnake
Hamartia: The tragic flaw that takes the hero to the top will lead its downfall.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
We’re truly in the post-social media age.
paxys
I like the idea of a trust hierarchy. Bluesky verifies NYT, then NYT verifies all their journalists. Makes the entire process a lot more scalable.
Robotbeat
NYT journalists as a privileged class… With actions like this, Bluesky is not exactly beating the allegations.
Applejinx
Correct. I'd like the example of NYT as a verifying authority better if I trusted the Times more than I trusted some of their journalists (blessed few, mind you).
I think it's pretty hilarious that the Times, of all people, count as 'trusted'. It makes me automatically distrust BlueSky verification, which doesn't sound like the intention.
enneff
It’s not that you need to trust the New York Times as a whole, it’s that you can trust that account is linked to that organisation. A verification tick does not imply endorsement, just that they are who they say they are.
muglug
NYT journalists are in a different class from random Bluesky users — if they spread unfounded conspiracy theories on their corporate-approved account, they can be fired from their jobs.
Put another way, a Bluesky post saying "BREAKING: Trump dies from natural causes" from an employed NYT journo carries a different salience than the same post from a random Bluesky user.
9283409232
I actually don't know what you are talking about.
trompetenaccoun
The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general. It sounds like it's the latter. If not it shouldn't be a blue check at all, it should just inform users that the account is associated with NYT.
News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.
steveklabnik
> The blog post is unclear on if they will only be allowed to verify accounts as being part of NYT or if they will be allowed to give out blue checks to anyone in general.
On a technical level, any account can "verify" any other account.
On a practical level, blue checks are shown only if that verification comes from someone BlueSky trusts. Right now, that's bsky.app and nytimes.com.
throwaway642012
That’s very interesting. Does It mean NYTimes can also provide a Blue Check to someone from BBC, Reuters or even from a completely different org?
rambambram
Hey, I have this personal homepage. Available under a domain name. I trust myself, so I put a PNG of a blue check on it. If you don't trust me, I also have a blue check on my website that is put there by my best friend. Now you have to trust me. I guess I'm verified now, authenticated even.
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Am I missing something?
kmoser
> Am I missing something?
The ability to put fake blue checks on your website isn't the point.
Bluesky (and the web at large) is slowly becoming filled with spam and AI-generated content. Even if you're OK with more spam (not sure why you would be but you do you), why would you be OK with more content generated by non-humans (the vast majority of which attempts to pass as human)? This just makes it harder to find needles of authentic human content in a haystack of slop.
Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer. Without any such verification, the web just becomes a bigger wasteland.
throwawa14223
This seems like an anti-feature. The appeal of Bluesky is exactly the lack of a Twitter like central authority.
arghandugh
The opposite. It’s Twitter before Twitter was turned into a campaign of degenerate malignancy, with several escape hatches built-in.
throwawa14223
Twitter was awful before Musk and is awful in a different way now. Emulating old awful is not good just because new awful is different.
pessimizer
If you were one of the people making twitter awful before Musk, you'd prefer a service that was old awful, rather than new awful. They just want the Shah back.
senderista
You mean the kind of central authority that can censor accounts at the behest of a despotic government? Bluesky is not decentralized in any meaningful sense.
https://www.turkishminute.com/2025/04/17/bluesky-restrict-ac...
joshuaturner
My understanding of that situation was that they could either remove that content from being accessible on Bluesky (the client) or have the site blocked entirely.
They landed on country-specific moderation, which is all publicly accessible and documented, allowing countries to label specific posts/contents and have them hidden in the country. Again, this is only on the Bluesky client; other clients can ignore the 'hide' label if they choose.
This is an article that details it pretty well and links to a few tools that allow you to view everything hidden by any country moderation team: https://fediversereport.com/bluesky-censorship-and-country-b...
senderista
What are these "other clients"?
throwawa14223
I was misinformed about Bluesky. Thank you
sillysaurusx
It’s ironic that many comments are skeptical of strong centralized moderation, but they’re posting these comments on a forum with perhaps the strongest and most centralized moderation team of the entire internet.
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
wmf
HN moderation is easy mode because it's a small site and politics is "banned". Trying to do HN-quality moderation of political discourse among millions of users seems impossible.
DevOps72
There are a lot of users that have complained about the s-banning on this site. While the moderation team of this site seems to be well-intentioned, it does inevitably lead to a very strong slant. S-banning users doesn't make them or their viewpoints go away. They just end up happening elsewhere.
Because those conversations do end up happening elsewhere, this site is famous for leaving readers with a strongly false impression of what viewpoints are actually popular among whatever you would want to call this Silicon Valley hacker / VC scene space.
The highly insidious thing about censorship is not only you don't know what you're not seeing but you don't know you're not seeing it -- you don't know what's missing.
mhh__
The old blue checks were very useful as a way of knowing who was approved by the regime. So I sort of look forward to this, even if I still really struggle to even casually use bluesky.
gus_massa
Can a country verify it's president?
Can a country I don't like verify it's president that I don't like neither?
Prime minister? Members of the Senate? All citizens? Their own bot farm?
I got verified in the initial round of verification.
On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check
* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.