On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check
* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
I hear you. I haven't investigated every account that got the badge, but it feels to me like they picked people who are both technical and engaged with the protocol, so not entirely arbitrary. That naturally will have some correlation with "I know someone at bsky". I know I've seen accounts that I think are cooler than I am who didn't get verified yet! I'm sure they'll be expanding soon, which will dilute this sort of association.
Hilariously, it's kind of less centralized than I expected: there's no "Bluesky is the web of the root of trust" here, only "Bluesky chooses which records convert to UI" which leaves the whole system open for others.
You don't trust the NYT to verify its own reporters?
Also, why do you say that in any circumstance? Who do you trust?
I’m on Bsky as well but haven’t seen any such updates.
I think this makes sense, because 1. most people want this sort of feature for news and 2. the kinds of people they verified technically are likely to play around with it and see how sound it is, which is who I'd want to be kicking the tires.
I'm not sure when they'll verify more people, but this is only the beginning, for sure.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
The problem with Twitter (before the whole blue check system was gutted into meaninglessness) was that not enough verification badges were handed out. It's not exactly a dangerous situation.
Bluesky's idea of verified orgs granting verification badges to its own org members would be an example of a much more robust and hands off system than what Twitter had.
The dangerous scenario is what happened to Twitter after the Elon takeover: verification becomes meaningless overnight while users still give the same gravity to verification badges which causes a huge impersonation problem. But that possibility is not a reason to have zero verification.
What twitter starting doing was removing blue checks from people who were causing problems for the platform (but not behaving bad enough to kick off). This made no sense because people still needed to know if a person was who he claimed to be (e.g., Milo Yiannopoulos) even if the person was controversial or problematic or just plain nasty.
Blue Checks weren't "gutted". Now they just mean something else -- you're a premium subscriber.
If Bluesky becomes evil, you just configure your AppView not to trust their verifications.
Of course, that's the problem: right now we mostly have one AppView (bsky.app), which is the current SPOF in the mitigation plan against the "Bsky becomes the baddies" scenario.
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
With that in mind, it seems like bluesky is trying to thread the needle on providing tools for the community to do their own verification (via the protocol) while also making their own client "notable user" friendly (via blessed verifications that show blue checks).
I also don't see why it wouldn't be possible for someone to build a labeler that shows verifications from non-bluesky blessed sources. Then community members could subscribe to that labeler to get non-blessed verifications that they choose to show. It wouldn't show up as a blue check but it would still show up on the user's profile in bluesky.
It would look something like this existing "verification" labeler that doesn't use the underlying verification feature on the protocol but instead has to maintain the data in a 3rd party store: https://imgur.com/a/tXR4FUu
Additionally, third-party clients like Pinksky or Skylight could choose to show blue checks or whatever UI for any verifiers they choose. All the data is on the protocol now, so the 3rd party clients wouldn't need to do the verification themselves.
An automated version of this system might say "we verify anybody who at least N people within 3-4 steps of your followers graph are also following."
In a big city, you go to the store that's labeled "Butcher" and figure that, because the building is quite permanent and there's a lot of butchery stuff in there and it seems clean and there are people going in and out, then it's probably a fine butcher shop. No real "social" trust involved.
An automated version of this is probably domain checking, follower count, checking that N other 'verified' accounts follow it, some basic "is this a known malicious actor" checks, waiting until the account has some age, etc. Still kind of distributed, but not really relying on your own social trust metrics.
What's fun is that Bluesky allows you to implement both of those mechanisms yourself.
And what ever happened to Keybase? That seemed like a good solution. Verify by public private key? It really seems like that could be extended. I mean we have things like attribute keys and signing keys. It seems like a solvable solution but just the platforms need to create a means for the private bodies to integrate their keys.
Hell, I wish we'd have verification keys for cops and gov employees. So me a badge? No, show me a badge with a key I can scan and verify your identity. It's much harder to forge a badge with a valid key than it is to forge a badge that just looks good enough
Part of the problem here is consistent identity over time. People do not like changing their handles unless they want to. I'm steveklabnik.com now, but if I started working at the NYT, and had to switch to steveklabnik.nyt.com, old links break to my posts, etc. And what happens if I want to be verified by more than one org at a time? Domains (at present) can't do that.
They got acquired by Zoom and promptly put Keybase into maintenance mode.
DNS for your average user is too complicated. Also what should the domain name be for a journalist at the NYT? What if they leave the NYT?
Could use follows, retweets, etc instead of page links
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
That just leaves me wondering why they bothered with a new separate system instead of just using the existing label system. A "verified by bsky.social" or "verified by nyt.com" or whatever label would do the job perfectly well, no?
They didn't really give up, though - the domain verification still stands and is just as powerful as ever.
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
Well, the “wrong” politics are.
Because those conversations do end up happening elsewhere, this site is famous for leaving readers with a strongly false impression of what viewpoints are actually popular among whatever you would want to call this Silicon Valley hacker / VC scene space.
The highly insidious thing about censorship is not only you don't know what you're not seeing but you don't know you're not seeing it -- you don't know what's missing.
All research shows the opposite in fact. Adding friction to something causes a chilling effect in nearly any and all examples we have ever paid attention to. When you remove easy access to guns, people kill themselves less despite there being other easy ways to do so. When reddit banned a bunch of toxic communities, the entire site had less toxicity, even on subreddits that were unrelated to the toxic communities
Friction works. It works insanely effectively too.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
read again, slowly perhaps about first layer of verification.
Trusted flaggers literally need to publish transparency records and are approved by orgs in EU countries under elected governments.
If you say that is all bullshit and EU is a North Korea and North Korea is a shining example of democracy then you should probably remove your dig at DPRK's self naming;) Because your own comment measures non-democratic countries by the standard of democratic countries. if you want to be wrong be consistent at least
there’s nothing surprising about this
Censorship is a negative frame when it also provides healthy platform moderation and safety.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
We’re truly in the post-social media age.
https://www.turkishminute.com/2025/04/17/bluesky-restrict-ac...
They landed on country-specific moderation, which is all publicly accessible and documented, allowing countries to label specific posts/contents and have them hidden in the country. Again, this is only on the Bluesky client; other clients can ignore the 'hide' label if they choose.
This is an article that details it pretty well and links to a few tools that allow you to view everything hidden by any country moderation team: https://fediversereport.com/bluesky-censorship-and-country-b...
Am I anti moderation? No, not really. But the attitude blue sky users have towards it feels very much like wanting to be validated for not liking twitter('s users) rather than a forum for adults who enjoy seeing content from people wildly unlike themselves, which is what drew me to twitter 15 years ago.
Put another way, a Bluesky post saying "BREAKING: Trump dies from natural causes" from an employed NYT journo carries a different salience than the same post from a random Bluesky user.
I think it's pretty hilarious that the Times, of all people, count as 'trusted'. It makes me automatically distrust BlueSky verification, which doesn't sound like the intention.
News organizations have in recent years started selling so-called "contributor" positions. Anyone with enough money can be a journalist and influence public opinion. And NYT and similar outlets are not trustworthy sources either way, they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed. Basically rewriting their reporting as the narrative changes.
On a technical level, any account can "verify" any other account.
On a practical level, blue checks are shown only if that verification comes from someone BlueSky trusts. Right now, that's bsky.app and nytimes.com.
Which ones? I've heard of that with lower credibility organizations (Forbes, I think), but nothing like the NYT.
> they sneak edit articles when they get caught spreading misinformation but regularly don't disclose what was actually changed.
I think they correct things. I'm not sure they have ever been in the habit if notifying people of every correction, though it would be interestesting to have an edit history with diffs.
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
Trend.
I mean, what even are network effects!?
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Am I missing something?
The ability to put fake blue checks on your website isn't the point.
Bluesky (and the web at large) is slowly becoming filled with spam and AI-generated content. Even if you're OK with more spam (not sure why you would be but you do you), why would you be OK with more content generated by non-humans (the vast majority of which attempts to pass as human)? This just makes it harder to find needles of authentic human content in a haystack of slop.
Various levels of verification make it easier to distinguish what's real from not real, for whatever definition of "real" you prefer. Without any such verification, the web just becomes a bigger wasteland.
Exactly! ;) Bullshit is still bullshit, whether it's under a real name or a pseudonym. Additionally, blue checks don't stop "real/verified" people from copy/pasting AI-generated content.
That's my point. ;)
Internet was intended to be anonymous.
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
If it's only for notable people, then it is a sort of club.
Maybe people trying to protect their "brand"? Is there really that much demand for branded content?
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
The trouble with what platforms like Twitter did was by trying to stick to some definition of important, they took what should be a mundane "yep, this is the person it looks like" icon and made it into a status symbol that everyone wanted. Twitter had a hard time defining the boundaries: Shouldn't they verify their most influential users even if they're not real world celebrities or public figures? What happens if someone who is verified says something that they don't like? How do you prevent corruption when you give other organizations special privileges for verification?
For Twitter and Instagram verification, people were bribing employees and getting verification just because they joined an organization (like an eSports team or a news organization.) This was not a good status quo.
Bluesky is probably headed towards the same problem if they try to be the bearer of who's important. Obviously, you can't verify any Joe Schmoe, but honestly you can just set a reasonable threshold based on their status in the platform for as to whether or not they should be eligible to get verification. When you do stuff like say "You should be able to be verified because you work for NYT", that's just weird. Being a journalist doesn't magically make you important, or mean that your posts will be worthy of greater consideration, yet that's what you're setting people up for when you make verification into a big ordeal like this, and it's the reason why Twitter would unverify people for e.g. having an opinion too far outside the Overton window. And using in-platform metrics to determine eligibility seems reasonable anyways... If you have like 10 followers, your verification status is utterly meaningless anyways.
I think if they want to solve the problem for journalists they should've verified the organizations and then made this separate from verifying individuals. Then accounts under that domain could just have some sort of special badge. This especially makes sense because otherwise you could literally just have your personal account become verified by having a couple month stint at the NYT or something, which is non-sensical.
Bewildering to me that seemingly any move in the right direction for social media is criticized with even more venom. How exhausting it must be to be stuck in such a frame of mind.
Showing users that these ideas work is a win, it doesn't matter what Bluesky does in the future.
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
It's politics I can't avoid there, not pornography.
Granted, I'm probably part of the problem, since I do post (and repost) some political stuff every once in awhile, but still.
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
A high score usually indicates a trusted account. Check it out here: https://bluefacts.app/top
Trust is always going to be a game of cat and mouse, and this seems like just another move.
Is this not still a top-down system, just with one level of indirection?
Something not-top-down might look more like the web-of-trust model.
https://news.ycombinator.com/item?id=40298552#40298804
Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.
If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
If these orgs don't have IT departments, then, well, pay me $20 and I'll do it for you.
Can a country I don't like verify it's president that I don't like neither?
Prime minister? Members of the Senate? All citizens? Their own bot farm?
haha
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
It was if you were a regular, non-technical user or not terminally on Twitter.
Can't be that hard to have this
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
2. I've been programming and hosting websites for a decade+ and I would have no idea where to start with any of the things that you propose they "just" require.
3. The OV requirement seems kind of hokey. There's no such thing as "worth registering as an LLC" — anything can be an LLC. You could have an LLC that just holds your dog's assets and call it Internal Revenue Service (LLC), assuming someone else hasn't already grabbed that name in your state, and that would be completely valid.
All of this would make it way too difficult to navigate verification for normal people, and I'm not convinced it would do anything to stop determinated bad actors.
That's because OV/EV certification are (currently) viewed/remembered mostly as "a bunch of bullshit that nobody sees the point in", and/or "a money-making scheme designed to allow big companies to throw money at the problem of looking 'more secure' than small companies, by showing up with a prettier lock icon/address bar state in web browsers" — ignoring the fundamental value provided by the design of the system, due to the pragmatics and politics of existing and previous (mostly previous) implementations of the design.
A site presenting an EV cert used to look like e.g. this in Firefox: https://upload.wikimedia.org/wikipedia/commons/6/63/Firefox_...
And this in IE/Edge: https://www.thesslstore.com/blog/wp-content/uploads/2010/06/...
Once browsers stopped visually differentiating sites signed by OV/EV certificates from sites signed by DV certificates with the big "green for go" coloration, corporations no longer had any motivation to get EV certificates, so everybody forgot they existed. This happened a decade+ ago.
(And then, in 2019, the last vestige of this distinction was removed, when EV certs stopped making browsers show the identified company name beside the lock icon: https://www.leaderssl.com/news/492-google-and-mozilla-will-s...).
Because of this, nobody today is really familiar with EV certs. But that doesn't mean they're hard or arcane; they're just obscure. And the process for getting one is clunky — but it used to be that the process for getting regular (DV) certs was clunky, too. The EV cert process just hasn't been updated with the times to match the ease of getting a DV cert, because nobody has cared to do so, because there's no demand.
But neither of those things mean that EV certs aren't fundamentally a good way to secure identity in a web of trust. Every code signing certificate is an EV cert, for example. And all cross-signed CA certs are EV certs. EV certs are still there, quietly underpinning much of X.509's security model, in TLS and elsewhere.
And as such, it's silly to recreate the EV validation ecosystem, but worse, for something (identity verification on BlueSky) that is pretty much exactly "the green address bar" use-case all over again — when we could instead just revive the dormant infrastructure that powered things the last time we cared about federated identity verification, and polish it up a bit for use in 2025.
> All of this would make it way too difficult to navigate verification for normal people
If they wanted, BlueSky could match what they're doing today by 1. setting up their own X.509 CA, and then 2. delegating the constrained ability to issue OV+EV certs to users from this CA, to named entities (like the NYT, as mentioned in the announcement.) Then you wouldn't have to do anything; everything could be handled on their end, with a BlueSky-CA-issued OV or EV cert just magically appearing bound to your BlueSky account.
(And they could — but wouldn't have to — get this CA into default trust stores of client devices. The BlueSky webapp backend would have the BlueSky CA explicitly in its trust store; as would any first-party native fat clients. Any third-party native fat clients would need to add the CA cert into the app and configure their HTTP client to use it. X.509 is not one global system; every X.509 root-of-trust creates its own tree-of-trust, which is only a web-of-trust insofar as multiple roots-of-trust can [but don't have to] cross-sign things.)
The point here is just that with X.509, big entities who BlueSky is unwilling to delegate identity-verification authority to, or who don't trust BlueSky — or, as BlueSky themselves say, the existing userbase at the point where BlueSky itself becomes adversarial to them — can step outside of this de-facto centralized trust model, by instead getting an different X.509 CA of choice to issue EV certs for any entities they want identity-verified; and then uploading (or in the case of a native app, installing) these certs to bind them to their BlueSky accounts.
In a bigcorp MDM domain, your EV cert allowing you to speak as @bigcorp_pr or whatever, would just get MDM-installed onto your device and you'd never even think about it. You'd just know that you actually can't log into that BlueSky account on any non-company device, despite knowing the password to the account, because no other device has the cert installed.
> and I'm not convinced it would do anything to stop determinated bad actors.
It does as much and as little as what BlueSky's announced approach — have human moderators check identity verifications using their common sense — does.
That's all EV validation is, in the end: collecting a bunch of information and then having a human look at it and say "yeah, this is really who should be getting certified to say they own this domain" or "no, this seems to be some kind of domain hijacking attempt." (Or even "this domain seems created to typosquat a popular brand, so I'm not granting the cert, even if the person really does own the domain." Denying typosquatters EV certificates is/was an explicit feature of most CAs' EV processes — although the term "typosquatting" hadn't been coined yet, so it was referred to as "trademark protection" or somesuch.)
The only difference, in leaning on X.509 infrastructure to do this, would be that you wouldn't have to rely on "BlueSky moderators" as your only group of people willing to put their reputations on the line to assert "yeah, this is who they say they are; they're really in charge of this business; and this business is a real thing—the one you'd think of when you see the name." You can go out and ask any company specialized in "having a reputation for making identity-validation assertions that everyone trusts" (i.e. an X.509 CA) to do it for you.
Not a good look.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
This is what their users are looking for. They don't want complexity, they want to know who they're supposed to listen to.
That said, your gray-status is exactly why I long since stopped pointing out that's what people want, and instead shifted my argument towards educating readers why that's bad. The dearth of informed electorates is a crisis plaguing humanity as a whole, and we sorely need to start shining a light on the practices that create this harm ("answer engines") rather than shaming users that engage with those traps alone.
