Internet Handle
52 points by op
52 points by op
It doesn't mention webfinger even in passing so to my eye it looks mostly like an advert for AT Proto and BlueSky.
Yeah, and doesn't mention ActivityPub which is federated, therefore handles end in your domain (if you host an instance)
if you host an instance
I think that's the key point here. The average user has to host an instance to own their identity—that's decidedly more complex than in AT land where your handle is decoupled from hosting.
One of my biggest beefs with ActivityPub is that not one of the major implementations support hosting multiple domains using a single process (meaning that if you want 100 users to each bring their own domains, you need to run separate background workers, webservers, etc for each).
I raised feature requests and (for those with tech stacks I'm familiar with) offered to contribute a good chunk of the work, but so far that's been met with little interest.
My blog supports multiple domains on the same application: https://marius.federated.id and https://releases.bruta.link are running the same service, while being very different. :) However, it's is not a major implementation by any means.
So, if you're familiar with Go, would love feedback, feature requests or code to improve it until it becomes one.
I'm pretty sure that in order for the DNS identity thingie to work you need to host an AT-Proto PDS.
This is definitely incorrect, all you need is the domain name and then you set some TXT records
Source: I have a custom domain for my handle and do not run a PDS
OK, thank you for the correction. :)
You realize however that's not much different than having a webfinger reply with resources that are on a different server?
It depends on whether the "DNS identity thingie" is a display handle or decentralized identifier (DID). The former does not, the latter does last I checked. https://docs.bsky.app/docs/advanced-guides/resolving-identities
And it doesn't mention OpenID either, which (long ago) started with the exact same premise: your blog host name is your identity. I encourage the author to read up on history.
You can’t really have a globally unique handle that works across all services in AP, since your identity is tied to your instance. It fundamentally goes against what OP talks about.
Sure you can. If you tag or search @nora@nora.codes, Mastodon and GoToSocial, at least, resolve it to my current account via webfinger, which is not hosted at nora.codes.
Can you use the same handle for Pixelfed? That’s what OP is talking about with sharing social graphs.
I don't think Pixelfed is a good example because it largely uses the same "vocabulary" as Mastodon. You could definitely use it for an ActivityPub service as different from Mastodon as, say, Tangled is from Bluesky.
It would be the same handle in the sense that it compares equal as a string, but it would share none of the social graph. That's the interesting part of a social identity, and in AP it's tied to the instance and service.
The ATProto photo sharing apps absolutely can and do reuse the handle and social graph of Bluesky. AT lexicons are composable and identities reusable, while in AP ~everything effectively coalesces around Note for Mastodon compatibility, and then the identity ends up usable only with one instance and service.
(Correct me if I'm wrong, I don't think you can have two Mastodon-compatible services under the same handle, right?)
This is actually really interesting because I completely disagree that sharing a social graph is the interesting part. In fact I have multiple ActivityPub accounts specifically to seperate parts of my social graph!
As often, ActivityPub and ATProto are designed for pretty different use cases.
I think “social graph” is the wrong term here. It’s the unique identity (did:{plc,web}) that’s shared. For example, https://tangled.org has its own social graph, and doesn’t share it with say, https://bsky.app.
The problem current major implementations of ActivityPub share is that they focused on being both client and server for their users.
In an ideal world Pixelfed, Mastodon, etc would be only specialized clients that can communicate with the same generic ActivityPub backend, that shares their "social graph". In this scenario this generic server would be the equivalent of a PDS, albeit containing more logic and having to do more work.
So the possibility is there, people work for making it better known - at least I do - but mind share being what it is, we're not there yet when Mastodon has the largest concentration of users...
Though I disagree with you, a mention with this clarification would have been better than complete silence. Like it is now it either smells of advertising (which I already mentioned) or, more charitably, of ignorance.
Webfinger is designed for username at someone's domain. The site here is advocating for using domains directly
Webfinger supports using your domain just fine: https://marius.federated.id/.well-known/webfinger?res ource=https://marius.federated.id
Here's my identity based on my blog.
Sure that's fair. Proper xrds and webfinger support using domains fine. But the mastodonoverse does not.
If you prefer the at notation, that works too: https://marius.federated.id/.well-known/webfinger?resource=acct:@marius.federated.id
But the mastodonoverse does not.
The link above is from an ActivityPub enabled service. Just because Mastodon doesn't do a thing, it does not mean it's not possible for the wider platform.
Reminds me of https://indieweb.org/principles, but without the open standards? I think I like the ActivityPub (and also email) model better, where it's user@domain - because, let's face it, most users won't buy a domain.
because, let's face it, most users won't buy a domain.
Why would they have to? Subdomains exist. If my instance is example.com, I could be dzwdz.example.com - and then, if I move, it could be a CNAME to dzwdz.net, or something like that.
In fact, I strongly prefer BlueSky's identity model precisely because of this - because there isn't an explicit user/instance split in handles, I'm somewhat less tied to the particular instance I'm using. Sure, ActivityPub has mechanisms for migration too, and this is a pretty subtle difference, but I do think it's meaningful.
Or, to put it another way - DNS already provides you with a way to migrate from one name to another. It's also specifically built to differentiate names from where exactly they're hosted. These are the exact properties I want from decentralized social media, so it's a natural fit.
consider in your analysis that the vast majority of people use did:plc:... as an indirection layer between their atproto handle and the hosting of their data, and the PLC directory is bluesky-specific
there's a grand total of 172 handles using did:web:<example.com handle> direct mapping
I only think DNS is a good base for decentralized social media; I never said I think BlueSky is that. It's still almost completely centralized, right?
all i was saying is that the PLC centralised indirect is both non-obvious and a centralisation that crept up for “simplicity”/UX benefits
wasn't necessary [as you wrote] but still cropped up
It's still almost completely centralized, right?
It really depends on what specifically you mean by "centralized."
I would argue that did:plc is the only real point of centralization, but you could make the argument that since did:web is supported as well, that it's not. But then you can make the argument that nobody uses that option, so in practice, it is, as your parent does. Etc.
You don’t have to squat handles anymore.
Sure, if you ignore domain squatting. If you want a simple domain, it's either already taken or costs a premium. This isn't really a solution; it'll always be a problem wherever the identifier must be unique.
I don't seem to have this problem. Any time I want to buy a novelty domain, there's dozens of options that all seem fine, for $12-20 a year.
Perhaps this is my own inexperience/incompetence, but I often see those domains available for $12-20, but then suddenly getting hiked up to $50 on renewal. Am I just bad a novelty domain shopping or is there a trick that I'm missing.
It depends mostly on the registrar: there’s a wide variation from scummy to solid. It’s common for the dodgier ones to sell initial registrations at a discount and make up the loss from higher renewal/transfer fees and/or hosting charges. When registering a domain you should look carefully at the provider’s documentation to see what they say the renewal and transfer fees are. If you can’t find a clear price list then choose a different provider, especially if their initial registration fees are unusually low.
My experience tracks with this.
I also feel compelled to point out that nobody is "buying" a domain. We do not "own" them. We rent them. Pricing can change whenever the registrar wants and if someone with a pile of cash comes along and wants that domain we're just using as a parking spot for a static site and small relay email, I'm willing to bet the registrar would be happy to find a way to give it to them.
I'm not sure tying all my handles to a single domain that I could lose is wise, but perhaps I am missing something. Happy to be enlightened otherwise, though. I feel like I should know more about the legalities of this than I do.
I'm not sure tying all my handles to a single domain that I could lose is wise,
If you're using did:plc, you can rotate the domain that you use for you handle, so it's resilient to this case.
Honestly, it's somewhere between buying and renting: registrars cannot arbitrarily take away your domain, and if they do, you can take that dispute to ICANN. If the registrar was egregious in their behaviour (e.g., immediately assigning it to another person if you weren't domainsquatting), they have to pay a substantial fine to ICANN in addition to whatever other penalties are applied and you get your domain back.
That said, it's not just a buy it and then you own it forever type of situation. It's generally a good idea to disincentivize actors from claiming thousands of interesting domain names and then re-selling them. Thus, once you have gotten a domain, you need to pay a land value tax of sorts to show that you still have a stake in owning it.
I do agree that the pricing on many TLDs is unconscionable, but registry owners get to choose their own pricing models. If .example sells you your first year for $9, but then charges $500 for renewals, that's something you'll have to take up with them. Certain registries are notorious for this, but the renewal costs are clear at time of initial purchase with most registrars so caveat emptor. I can tell you that, if the TLD I'm working on starting (.meow) gets accepted, we will aim for consistent and reasonable pricing, but that's just us.
I don’t really fully understand the domain market, but pork bun will sell me fartsound.xyz for $1.50, renews at $12.98.
It's actually more than that, more like missing the forest for the trees.
Yes, I have a nick name, or internet handle. Even several of them in different spaces.
Yes, I have several domains. Only one of these domains has any relation to the nick I mostly use.
That is partially deliberate, partially accident. I like my domains but I don't want to be @example.org - I would have to register a new one, aka squatting and paying just for vanity purposes.
Is that my own fault? Yes, sure - but that doesn't make this a good solution.
Another approach for this problem, which doesn't suffer from the "claim your domain fast" problem almost described in the first paragraph of the OP, is more like the contact book on your phone: Just use pet names[1]!
Thinking about pet names and graph naming systems (going back to spki/sdsi) I’ve come to the conclusion that if they were ever deployed at a similar scale to the DNS the result would be remarkably similar to a cross between the DNS and PKIX, at least superficially.
The two main weaknesses of graph names are the “side of a bus” problem and more generally the bootstrapping problem.
The “side of a bus” problem is, if I see an ad on the side of a bus, how can I reach the service that is being advertised? There needs to be some widely-shared namespaces that can act as introduction services, so that (for example) someone can read out their email address and have some confidence that the person they are speaking to will be able to use it.
The bootstrapping problem is, when someone gets their first device that uses pet names, how do they get linked to the graph of names? What names would the software start off with? A bare minimum would be a pre-populated petname for the software’s provider, because that’s necessary for software updates.
But petname systems aim to be a decentralized PKI as well as a decentralized name system, which suggests to me that the solution to both problems would be like the PKIX root CA programs: an operating system will ship with a collection of “helpful” pre-populated petnames that refer to third party registries. These registries would operate the widely-shared namespaces, rather like DNS TLDs, but they would be organized by the software provider like the PKIX CAs.
Graph names would have some advantages compared to the DNS and PKIX:
it supports bottom-up friend-of-a-friend pathnames / nicknames, as well as global shared namespaces, within the same system; a petname is just a single-step pathname
you can elevate an indirect graph pathname to a direct pet name by making a local copy, to avoid having to trust a third-party registry
registries can’t claim to authenticate names they didn’t issue
it should be easier than it is with DNS tree names to reach a service by multiple paths/names, and it should be easy to verify that different paths lead to the same place
I’m not fond of either ICANN-like or PKIX-like centralization, but there are strong forces that drive large public namespaces towards that kind of setup. I don’t think it’s possible or even desirable to eliminate large registries, but it would be nice to have an infrastructure like graph names that allows individuals and groups to operate without depending on the rent-seekers.
I'm not convinced that pet names are super useful. While I might be "that Daniel that Frank introduced me to at Melissa's party" in your mind, that doesn't mean that daniel.frank.org is sufficiently unique. So I still need to give you a handle.
If you have a social network you can try to resolve petnames/names/handles by searching for friends of Frank and Melissa named Daniel. Or, when you get a message from some Daniel you can display that they know both Frank and Melissa. That would be neat but it doesn't solve the handle problem to me because I still need one that I can give you.
One’s handle shouldn’t be a bare domain: it should be a user at a domain. That way one can create multiple handles; one can easily host handles for one’s family and friends without incurring the registrar tax for each one.
Email had the right idea here.
Subdomains work perfectly here to separate contexts/accounts: for example bsky.app vs safety.bsky.app!
I disagree. It makes more sense for me to me dzwdz.net than me@dzwdz.net, dzwdz@dzwdz.net, or something of that sort. (neither of these addresses is the actual one I use, btw :p)
Obviously, as other commenters have said, DNS is hierarchical, so you can use subdomains for this. In fact, you can have subdomains of subdomains! For example, work.dad.dzwdz.net, for my dad's work account. user@domain doesn't really provide a similar mechanism for further subdividing accounts, unless you're counting gmail's user+blah@domain thing.
One’s handle shouldn’t be a bare domain: it should be a user at a domain. That way one can create multiple handles; one can easily host handles for one’s family and friends without incurring the registrar tax for each one.
I'm not a fan of AT Proto, but as far as I know they recommend using a subdomain for each user, which I find weird. For example: @jussi@jussi.example.org. I believe this is because they rely on CNAME validation, so the required step would be creating a CNAME _atproto.jussi.example.org record to verify your account.
as far as I know they recommend using a subdomain for each user,
I don't see that recommendation anywhere, but it's possible I missed it. https://atproto.com/specs/handle#usage-and-implementation-guidelines
It is true that like, one way of doing this if you're sharing the domain is to use a subdomain per user, but it's not needed otherwise. And even then, someone could be the apex and other users would just be subdomains.
For example: @jussi@jussi.example.org
Your handle would just be @jussi.example.org in this case, no @jussi at the front.
The atproto angle is certainly interesting, but as someone who's had her own email domain for literally decades, I'm kind of amused at the rebranding of "having a custom domain" as an "internet handle"
This lacks a proper problem statement.
Yes, DNS has CNAMES but what does that actually solve? You can point to a new service if you want to migrate, but you could just as well use a hosting service for email and mastodon which supports custom domains. Then you can migrate by moving to a different provider. But people don't and people also don't set up CNAMEs.
And note, if you now set up another system what do you effectively end up with? twitter:@foo@x.com github:@foo@github.com email:mail@foo.net bluesky: ... mastodon: ... web: ... phone: ... address: ... passport id: ...
When I navigated to Tangled (which I was unfamiliar with), it encourages me to create a tngl.sh handle before it mentions to use my Bluesky account. So I went to the sign-up page, only to be asked for my e-mail address (which happens to also be my Bluesky account handle), which furthermore asked for a handle to specify (which is constrained to 4 or more characters). Only after squatting on a new Tangled handle did I realize that I could just use my Bluesky account.
This is extremely confusing, and reminds me of https://xkcd.com/927/.
there's this text on the signup page:
Already have an AT Protocol account? <Login to Tangled>
but this is easily missed, evidently.
It's very sad to me that having a domain is so niche. In large part because registrars mostly suck and don't market themselves to personal use cases or easy onboarding.
This is weird, it’s saying “a domain is already your identity”, and gives a whole bunch of examples and word soup (human made, I’m not saying AI slop), and then … starts talking about subdomains as if they were also domains?
At a fundamental level there is no difference between foo.bar.com and bar.com/foo.
This post seems to be trying to launder a social network identity as an actual non-service specific identity?
Given the domain name I’m inclined to believe this is functionally an advertisement?
I have mixed feelings about this.
On one side, I do have my own domain and I do use it for a bunch of stuff, including the indielogin. On the other hand, I'm very well aware that domains are not forever, and once you lose it you lose all accounts and emails linked to it, which is particularly scary.
Also, I like that each app supports it's own handles. It means one can have a random one so it is more difficult to track them across platforms.
With did:plc, you can rotate your domain if you'd like to use a different one for any reason.
Nobody forces you to use the same domain for every atproto app, if you want to make a new handle for each one, that's just fine too.
What if every internet user followed this advice? Would domain names keep working?
I'm not sure we can come up with billions of meaningful usernames without this system breaking and everything becoming a sea of garbage names for most people, with the difference that they would be paying a lot for them.
We must also consider that, with 100x more demand for domains the squatting appetite is also likely to increase by a similar proportion. Who knows?
I don't know. Like the author, I didn't do the math.
It could also be interesting to consider how much money would the cabal that sells domains earn from that.
Like 1000x more than they do today at least. How does that change the incentives?
Or if everybody was using domains how much more power would the domain authorities have and how much more political pressure or other kinds of pressure they would suffer.
A domain-based system, which also requires payment, seems unsustainable to me, as well as being extremely centralized. A system based on cryptographic key pairs with simple vanity names is preferable. Check out Nostr.
With Nostr you can also use a username@domain.tld handle as a proxy to your profile (NIP-05), but it's totally optional. It is useful for quickly sharing one's identity or for proving that a user is tied to an organization.
If I want to participate in the BlueSky universe but from a domain which is not the canonical BlueSky domain, where should I go?
The answer to this question depends on what specifically you mean by “participate,” like how far you want to be away from bsky infra. If you want to own your own data, you’d run your own PDS on whatever domain you’d like. If you want to use a different client, there’s a bunch to choose from. If you also don’t want to be using their relay, you can run your own or use one of the alternative ones there too.
Blacksky is the most plug and play, most divorced set of infrastructure at the moment.
I really wish the dream of decentralized open social platforms, or ATproto, or activityPub, or whatever - gets traction beyond the nerd-world at some point. I fear that at this point all the truly decentralized attempts will be relegated to the nerd-backwaters of the internet, and maybe that is fine and for the best.
Most people are lazy and not good at computers. It would take a monumental amount of effort to make any decentralized services truly palatable to a wider audience...and I don't mean regular joe users, I mean even the somewhat tech-curious folks . Have you watched a regular person navigate a standard login form or 'create account' flow lately? And you think they will "claim an identity" or hell, setup CNAME records?
Decentralized shit is hard. I had my openid identity tied to my own domain in the early 2000s, and it worked across a bunch of things for a while until centralized auth from big tech took over and openid got dropped. And even then, it was flakey and weird and I often just created a unique login to sites I cared about, because the weird decentralize login flow would get zero support for most providers.
I dunno why I'm ranting, I applaud folks trying to make this work, I wish we were in a world where I had more faith in it...but my eyes glaze over when I read discussions on 'data ownership' or the endless technology debates. And I'm the target audience! I've been in software for 30 goddamn years, but this is just all way too hard (unless your next job or funding round depends on it of course, ymmv).
tldr: Don't Make Me Think