I got verified in the initial round of verification.
On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
> Bluesky’s moderation team reviews each verification to ensure authenticity.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
I built handles.net[1] to make it easy for organisations to manage their member's handles, I think that using domain names for identity is neat and valuable, I have a vested interest in its success as a paradigm but... domain name "verification" is not the right solution today for non-technical people. I shared this sentiment a few months ago[2] and I have only become more confident in that assessment since.
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
It’s ironic that many comments are skeptical of strong centralized moderation, but they’re posting these comments on a forum with perhaps the strongest and most centralized moderation team of the entire internet.
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
This is better than twitters nonsensical verification but still does not close the loop all the way. I think what is needed are a set of equivalency verification's. Sort of like the domain verification used in getting a TLS certificate.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
So logically I would expect a protocol that allows cross domain verification. Best I can come up with is something that works sort of like domain verification extended to user@domain verification. that is, a better engineered version of "make a youtube video with the string 'unique uuid code' in the comment" so that we can verify you own that youtube account"
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
> Additionally, through our Trusted Verifiers feature, select independent organizations can verify accounts directly.
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
Hamartia: The tragic flaw that takes the hero to the top will lead its downfall.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
I think I've seen this movie before and it doesn’t end with meaningful community trust. It ends with people paying for status, accounts impersonating others with a wink and a checkmark, and eventually, trust being eroded by the very signal designed to uphold it.
I'm not a bluesky user yet but in reading through the post I discovered a problem with their implementation of the ID verification.
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
The old blue checks were very useful as a way of knowing who was approved by the regime. So I sort of look forward to this, even if I still really struggle to even casually use bluesky.
If I was in a less charitable mood, I would categorize it as a misguided attempt at re-implementing previously failed ecosystem. But I am in charitable mood so allow me to say instead 'bold move. lets see if it pays off'.
Hey, I have this personal homepage. Available under a domain name. I trust myself, so I put a PNG of a blue check on it. If you don't trust me, I also have a blue check on my website that is put there by my best friend. Now you have to trust me. I guess I'm verified now, authenticated even.
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Pardon the naive question, but could verification not be accomplished by requiring to tie a form of payment to an account? Eg, a CC or equivalent? Outsource the identity validation to other institutions (eg banks), and benefit from their deep investment into identity verification. Would that not work?
It seems like the main problem with verification is that everyone is conflating what verification is or is supposed to be.
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
I'm not sure what is being verified here. Except that the someone has access to a bluesky handle and a DNS record.
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
Shouldn't there be some kind of points-system to the verification?
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
Good! I’ve been using a third-party labeller (which is a great hack), but making it more user friendly and official is a great thing.
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
Bluesky is riddled with pornography, even with the strictest settings enabled. I genuinely don’t feel comfortable scrolling any of the curated feeds in a public place except for my direct “Following” only feed.
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
If you contextualize this as a form of limiting the power and reach of bots, and you avoid going down the rabbit hole of speech and censorship, then this move is actually a very clever way of scaling that out.
Trust is always going to be a game of cat and mouse, and this seems like just another move.
<checks Twitter development timeline> Yep, right on schedule.
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
What’s the value in verification, exactly? Seems like a solution to a problem that doesn’t exist. Do non-idiots really get confused into thinking Jack Dorsey’s account is someone pretending to be Jack Dorsey?
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
Given usernames-as-domains, is there a reason to not just piggyback this on the X.509 web of trust?
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
They can justify it however they want to all day long, but we've got enough real-world examples of verification to show that its core use isn't about protecting users, but about authorizing acceptable speech on a platform and protecting advertisers.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
A new form of verification on Bluesky
(bsky.social)383 points by ink_13 21 April 2025 | 295 comments
Comments
On a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check
* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
Something like
So logically I would expect a protocol that allows cross domain verification. Best I can come up with is something that works sort of like domain verification extended to user@domain verification. that is, a better engineered version of "make a youtube video with the string 'unique uuid code' in the comment" so that we can verify you own that youtube account"The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
We’re truly in the post-social media age.
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Am I missing something?
Internet was intended to be anonymous.
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
Maybe people trying to protect their "brand"? Is there really that much demand for branded content?
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
Is this not still a top-down system, just with one level of indirection?
Something not-top-down might look more like the web-of-trust model.
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
A high score usually indicates a trusted account. Check it out here: https://bluefacts.app/top
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
Trust is always going to be a game of cat and mouse, and this seems like just another move.
https://news.ycombinator.com/item?id=40298552#40298804
Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.
If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
Can a country I don't like verify it's president that I don't like neither?
Prime minister? Members of the Senate? All citizens? Their own bot farm?
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
haha
Can't be that hard to have this
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
Not a good look.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.