This week’s implosion of Twitter has set off an unprecedented migration to alternatives, particularly the ActivityPub based Fediverse. Since that implosion included a complete breakdown of the verification system (What do blue checks mean today? What will they mean tomorrow?) lots of people started off thinking about identity and impersonation in a decentralized space.
The previous verification system at Twitter was the kind of centralized approach most of us are used to. Twitter publicly attested the identities of about 400000 accounts belonging to institutions, brands, and various celebrities in the same way most people in the developed world rely on an ID card issued by a government. To think about how to build an identity system without a central authority, we have to look backwards. Before national ID cards, identity was largely managed through social connections. You were introduced to someone, in person, by a common acquaintance whom you both trust. That introduction attests your identities to each other. This is in essence the web of trust that Pretty Good Privacy tried to build via key-signing.
Of course, the process becomes more complicated when you aren’t in person. What if that letter of introduction is a forgery? Oddly, existing social media platforms worked on the electronic version of this problem in a roundabout way, with photo tagging. When I take a picture of someone and tag them when I post it. I’m attesting that the account I tagged belongs to the person whose image I posted. If you also recognize that person’s image, you can take that tag as evidence that a particular account belongs to a particular person.
In the Fediverse, such identity verification as there is relies on having control of some other website. Mastodon, the most popular ActivityPub implementation, allows you to place a link to your profile with a rel=”me” attribute on your website, When you add the address of that page to your profile, it appears with a green check. What this actually does is show that the same entity controls the website and the Mastodon account.
If you control a domain, you have another option, creating a Fediverse server within that domain. Since you control the domain, you control the Fediverse server. This method is an option for institutions as well as individuals. mastodon.archive.org has been launched by the Internet Archive and only IA employees are allowed to have accounts on this instance. Effectively, IA is publicly attesting the identity of the person attached to each of those accounts. It will be interesting to see if other institutions follow suit.