Hacker News new | past | comments | ask | show | jobs | submit login

I've wanted to have domains as identity for years, so I'm thrilled to see someone actually doing it. I want to use a domain validated identity for everything; social networks, package repositories, code signing, etc..

I hope this idea catches on. I think a more decentralized approach to identity combined with 3rd party attestations or filters could change the way the internet works.

Imagine what could be built if everyone used domains as handles / identities. Social networks could go hands off for moderation and allow plugable moderation engines that rely on domains for identity, trust, reputation, etc..

I'm convinced that domain validated identities and attestation could usher in a revolution for reputation and trust. Are there any more projects doing similar things?




I personally don’t want to use a domain name for everything. I want all my identities to be unique, I want an infinite number of them, that I can change between multiple ones per service and that they’re not connected to each other unless I specifically say so, and they should be fully free and permission less for me to create.

Public/private keys have or enable all those properties.

While there a many problems with how domains work today as a public goods system, domain names as identities is infinitely better than what we have now, but I think we can have it much better and domain names are one step in that self-sovereign ownership.


I think you missed the part when the original username was a subdomain of bluesky. There will be a great many anonymous registration services I'm sure. And things like afraid.org make that number of possible domains you can use anonymously a truly massive number.

The problem with pub/priv keys as user identities is discoverability and validation. How do I find your key? How do I prove this key is actually yours? Sure they are anonymous, but that isn't a desirable property if you are an established public figure.


Most of us are not established public figures and many of us, I’m sure, want to keep it that way.

With keys, validation can happen in several ways: attestation by reputable orgs, reputation systems, off-band, 2FA, “Hi, I’m John”, etc etc. Discovery is also highly context dependent in that it can and should happen “in the app/system” (=whatever the context of the use case is, eg. you know me by pubkey 123, the tax office knows me by pubkey xyz).

“anonymous registration services” from the perspective of self-sovereign identity is by definition not anonymous :)


To be clear, I understand the desire for truly anonymous services. But after two decades of experimenting and thinking of this problem. I don't think it is possible for an truly anonymous solution that is also ergonomic to use.

Things like briar exist, and for you use cases, existing tools might be enough. Briar is fantastic for communicating with people you know and willing to jump through some hoops be part of a community that is anonymous, secure, and provides lots of ways of making introductions and posts.

But there are reasons why Meta, Twitter, Linkedin and the like are well above any anonymous solution in terms of users.

- Identity (including pseudo identity of anonymous users) is established.

- Spam. There is ungodly amount of spammers out there, as email has shown. If you have played with nostr or scuttlebutt you would also see just how horrible the spam is.

- Account recovery, people are bad with passwords and storing secrets. Very bad. And even the most secure people can get exploited.

- Hosting your data is problematic. Who hosts data which may be illegal? When illegal data is flagged, how does it get purged? Merely being the transit for data is protected in the US, but physically hosting that data is not.

- The vast majority of people are unable to run a persistent service for their identity and content. Even if they are willing, they lack the means. You end up targeting a very small subset of people who are willing, able, and capable of running a service. And that service requires care and feeding. You might end up with millions of vulnerable instances.

- Scalability. No one has come remotely close to solving how one of these solutions would scale to billions of users. Or even tens of millions. DHTs become painfully slow and bloated. Even if a solution did start catching on, it would quickly then fail because the user experience would crater as it gains popularity.

I have become convinced that making an ergonomic briar is impossible without making some concessions.

Complaining that a new and unproven tool's chosen concessions are bad inhibits experimentation.


These are fantastic observations and I hope I’ll have time to get back to them in detail.

I can’t say there’s a simple solution to all of these, today, but my intuition and optimism says there’s a solution for all of these :)


The problem with infinite, easy to create identities leads to a well researched attack, known as a Sybil[1] attack.

If there isn't some type of cost or friction to creating identities, you will have a lot of bad behavior, full stop. This has been shown time and time again, so it's basically a non-starter. I don't want to be part of any social network that has this feature (infinite identities), its going to eventually turn to shit or require intense moderation (or both!)

1. https://en.wikipedia.org/wiki/Sybil_attack


I think this is true if the system is global or there’s model where Sybil resistance is “here everyone, have an access to write to the database”. In a system like HN there’s value in Sybil resistance. On your Twitter feed, almost none.

So I disagree this is a non-starter, because we didn’t find a solution in the past, but rather an ideal place to start and a great space to discover new Sybil resistance mechanisms (which we have over the recent years).


Domain based identity also enables attestation which could be use to artificially add even more friction. Plus, since it's not constrained to a single platform, you could have 3rd parties that assess trust and reputation.


> I've wanted to have domains as identity for years, so I'm thrilled to see someone actually doing it.

on a tangentially related note: Go "package management" is based on domain identity (although most people just use github.com), yet for some reason people seem to prefer to defer to a centralized registry and praise "good package managers" like cargo.


Yeah. I've used that enough to learn how it works. I think the biggest issue is that it's not the default and most people take the easiest path which is using GitHub, etc.. There's a neat project that can help generate some of the web resources needed to use vanity imports:

https://github.com/leighmcculloch/vangen


The pattern repeats fractally in everything. Since you mention Github - it happens to be by far the widely-used, centralized repository hosting, and promoter of pull-request based workflows - for a version control system whose whole entire point is for you to not do that. I mean, the "D" in "DVCS" doesn't stand for "has no manual file-level locking".


people lose domains by forgetting to renew all the time. major corporations do it. do you want people to be compromised/have their identity stolen because they forgot to pay 7.99 to ICANN?


Forgetting to renew a domain is much harder than it used to be [1]. ICANN rules require 2 reminders prior to expiration and 2 notifications after expiration. They also require a 30 day minimum RGP (redemption grace period) where DNS doesn't resolve and you can still recover your domain.

If anything, I think having a domain tied to multiple services that break when the domain expires will help people notice so they can redeem within the grace period.

Impersonation via an expired domain might be an issue, but that's already a problem we have to deal with and I don't see how it could get significantly worse, especially since services could put up warnings when domains move between accounts.

1. https://www.icann.org/resources/pages/errp-2013-02-28-en


yes, I prefer this to being kicked out because my child needed medical care and I followed the doctor's advice. Or my device vendor considers the device 'too old'. Or any other arbitrary reason.

Where I live domain contracts auto-renew. And have reclaim processes.


What is this in reference to?


The doctor's advice is probably the father who got booted out of the entire Google system because he sent the pediatrician a photo of his son that the AI classified as CSAM, and Google refused to reinstate access to his data despite a ton of media outrage.


Though that is a problem, I'm trying to understand the point still. Is this being brought up because Google is a registrar?


Presumably because Google offers social identity auth now (which could be revoked arbitrarily).


And, not disagreeing, but a moot point as well.

It’s not like ICANN is guaranteed to not kick you out for “hosting illegal child pornography and advocating organized violence”. It will happen once enough individuals starts relying on DNS.


ICANN isn't in control over DNS because thats some platform they own but because they are a public institution and managing DNS is their mandate. Consequently, they don't get to nuke your domain and then tell you to pound sand.

ICANN also cannot boot your domain directly - they only control the root zone and delegate responsibilities. Maybe for gTLDs they have some say but if you get a ccTLD then the only one who can kick you off is the corresponding country - and if it is your country then that greatly improves your chances of pursuing legal action if your domain is taken away without due process.


I hope a judge will have a say.


exactly


(not OP but…)

The Doctor's advice I don't get the reference¹, but for deprecating a device this could be a concern if your phone or similar device suddenly stops working² and that is required to prove who you are.

--

[1] perhaps searching for some officially, erm, unsupported medication resulting in getting blocked by a service that list closely enough linked to an identity provider that the ID account is locked also? — seems a stretch

[2] or is lost/stolen – a potential problem with any physical security token or virtual token if you only have it associated with a single device


examples are numerous. There was this father who sent the doctor photos of a medical problem of his child and the trustee of the digital identity locked his account. With all his digital life, payment channels, communication, you name it. Even the police asking the trustee to unlock was of no avail. https://www.nytimes.com/2022/08/21/technology/google-surveil...

Or there is this munich company whose employee visited it's parents and immediately the company github account got locked. Parents happened to live in Iran.

The tip of the iceberg, however.


That's not a problem. I don't mean that in the sense that it doesn't happen. Rather that the market succeeds despite it. People forget to pay fines, mortgages, taxes -- the system has rails to put most back on the correct path. And the failure isn't permadeath. Your domain expires and life goes on.

There are also protective mechanisms to prevent your domain from expiring. You can pay a balance in advance. Pay for "renewal insurance", etc. As more people use the system, it will grow even more safety rails.


>Your domain expires and life goes on.

Replace 'domain' with 'identity' and you have a very scary proposition. This is just another form of 'code is law' and doomed for all the same reasons. Bugs and exploits become severe threats to your wealth and well being. As much as we hate to depend on institutions and 'other people', depending on computers program is inherently worse.


If you use your domain for email, you already have this problem.

This problem isn't new at all.

Would you rather have a situation of ownership with responsibility or no ownership at all?

The "free" alternative is a crypto like identity, and there's zero restitution if you lose your key. People will struggle even more with this. At least with domains there is a legal framework if you're paid up.


But the stakes are much higher here. You can fix those things if you forget.

You're in trouble if you forget to renew your domain.

And you're in much bigger trouble if your identity is tied to ownership of that domain.


This was a big fad from around, and then rapidly died, as most users simply didn't care. Instead we got attempts at e.g. OpenID and similar, which rapidly converged on a handful of large identity providers who ended up dominating.

A large problem to encourage and retain a truly decentralised nature is usability. It must be as simple as allowing a site to authenticate you with Google or Facebook, as most users don't care enough to be willing to do more than that, including finding somewhere they trust to register something new.


I always liked the idea of OpenID, but you're right, it was far too complex for the average person. I was enthusiastic about it, but never got around to using it because it wasn't simple enough.

I think the kind of approach used here is a bit better than OpenID in terms of separating authentication and identity. You have a permanent account on the service for authentication and the identity (your domain) is more of a pointer / shortcut. That strikes a good balance in terms of letting the service provider dictate authentication policies without usurping your identity people recognize.

Unfortunately I don't think any of the big tech companies would get onboard with an idea like this. They're all racing / competing to control identity right now. Although I've always thought the idea would fit well with Twitter.


I was more talking about the "domains as identity" part that preceded OpenID than OpenID itself. OpenID was if anything much worse in that respect, partly because it tried to solve the authentication problem, not just the "central place to look up information about a user" problem.

I don't having users maintain this domain bit will work very well unless it's integrated with a service provider you're already using, so you'll depend on users relying on decentralised providers already for it to work.

But note that OpenID also allows this. While I used OpenID directly on my own site for a short while, for most of the time that I used OpenID I just added a record to my site that pointed to a third party provider.

The same ability to point somewhere else also exists just fine today with WebFinger, and the Fediverse. E.g. my galaxybound.com/.well-known/webfinger endpoint [1] redirects to m.galaxybound.com, which is my Mastodon install. I could've also put in place a custom webfinger response at my main domain to point somewhere entirely different or add additional resources if I wanted. Similarly, there's nothing stopping e.g. registrars from offering custom webfinger resolution as an extra service.

Personally I'd much prefer that wins, since webfinger provides a single lookup mechanism that can return any number of different types of records for different services without each of them having to invent their own mechanism. This includes using it to discover the OpenID Connect provider for a given user (request /.well-known/webfinger with the "rel" url parameter set to url encoded "http://openid.net/specs/connect/1.0/issuer", and "resource" set to the relevant account URI; setting the "rel" parameter is optional - including it is just a hint that's the only setting you need/want) so you an use it both to indicate authentication preference and to provide arbitrary pointers about your identity.

[1] https://m.galaxybound.com/.well-known/webfinger?resource=vid...


nothing will be as simple to onboard as a billion-dollar monopoly solution.

agency requires a least bit of activity.


Well, this is the challenge, because most people don't care. So anyone who wants effective decentralisation rather than just the possibility of decentralisation need to solve that challenge.


I know, David won.


To late to edit now, but should have read "from around 2000".


We've been using domain names for identity in the IndieWeb (https://indieweb.org/why) particularly for the IndieAuth extension to OAuth2 (https://indieauth.spec.indieweb.org) and it's worked pretty well


I agree, I'm just worried if it truly catches on, domain prices will become a strange new hot button issue.


It's not strange IMO. Domains need to be cheaper. Even "non-profit" .org includes a mandatory donation and a bunch of other fat.


If you're willing to consider PGP, there's also https://wiki.gnupg.org/WKD which provides a much neater mechanism for domain owners to publish pub keys that can be used for identity verification too.

Also somewhat intersecting with that space is https://keyoxide.org/ which can provide proofs of that identity across different services.


Currently, a domain can only be a brand and cannot be a true identity. There are methods to get free domain names [1], domain names without identity validation [2], etc. So, a domain is nothing but a method of verifying internet presence.

[1] https://www.hostinger.com/free-domain one example

[2] Any regular domain purchased from a registrar. You simply pay and get the domain with no further identity validation required.


The reason I say I think domains make a great identity is that I don't think it's important for identities to be verified. I even think there's room for 100% anonymous blockchain domains.

The value is in the way the domain owner participates online and what kind of reputation they build. There are many old-school communities where I recognize the handles of extremely knowledgeable, friendly, helpful people and I have no idea what their real names are.

Imagine if the well earned reputations of high quality participants were transferable across online communities by using a domain as global handle.


A domain can expire and be used by a different party. A different person can maintain a website. There are many ways a domain's admin can change. Domains are not guaranteed to be unique even if they are in some cases considered anonymous.


An idea to help with this would be a new resource record type, with an opaque value that changes only when the domain changes hands (yes, it is up to the registrar to decide when to change the value).

The resource records would live underneath registry.arpa, which has delegations that correspond to delegations at the DNS root; so to find out if example.com has changed, you can query:

    $ delv example.com.registry.arpa OWNER
    example.com.registry.arpa.     3660     IN     OWNER     "MEpnFkIk4sKW_oLPEl-R7WxFSAnWvgZnLYmRtn-3BkY"
You could put other stuff in there too, such as the start-date of the current registration... this is starting to sound like whois but structured and machine readable. Why on earth did that never take off!

An interesting related thing is the approach adopted by iSCSI, which constructs iSCSI Qualified Name (IQN)s by qualifying the domain name with the dates of registration.

So iqn.2003-05.com.example is a different identity to iqn.2021-01.com.example.


1. Domains are guaranteed to be unique. We have global registrars and global DNS, its not possible to have duplicate domains..

2. Don't utilize a domain that is shared by lots of people. There is also lots of DNS tricks (TXT records) to "pin" a user to a domain or whatever. If the domain is shared (for example a company website), you just add a TXT record denoting what private key is allowed to do things. Heck you could setup fine grained permissions per key via txt records.

2. Yes they can expire and that situation is detectable. How is this any different than twitter or another service allowing re-use of a deleted username?


Of course domain names are unique... As long as BGP routes aren't poisoned or a million other issues. However, the issue mentioned in this thread isn't whether company ABC has abc.com but that 10 people at ABC can administer abc.com.

Twitter allowing reuse of deleted usernames is completely different than an existing domain that is used as a identity credential to represent different people over time.

This thread is not about whether domains can represent properties on the Internet but whether domains are valid for identification purposes of people as login credentials. They aren't valid, because a domain doesn't uniquely represent a person.


Yeah I agree that domain names are great.

I think we should make some new TLDs that come with some validation guarantees. Ie john-doe.nation.citizen is always a person who has an Id with the same “John Doe” issued by some government. The registrar is responsible for validating that. Once issues the domain is never revoked- it’s yours forever, even after death. Maybe you subscribe to something for extra features, but the core identity can’t be recycled.

People don’t always want really strong ID like that though. So make other TLDs for other categories and give them different validation rules. Like .human could have some kind of biometric ID but no name. .blob could be a free for all, whatever.


But who are those for? I mean, I get what you're saying I just don't think it solves the issue. Sure,I could sign up for JoeRogan.biz and start posting using that handle, but I would also have to pay to hide the whois information.

All government agencies would have a verified .gov domain.

States have access to .gov domains

hell, My local town has a .gov domain.

States have access to domains like ca.us, schools in states have access to k12.ca.us domains.

I guess States could offer domains like, person.county.town.state.us but what a mouthful. Or maybe person.citizen.state.us but doesn't seem ideal either.

I guess you could have a verified TLD so you can have individual domains like johndoe.verified... but it takes away from the domain being linked back to my website. Sure I could set up a redirect but boy that's starting to get complicated.

I think domains are a fine barrier for entry for vanity handles. Current domain registers could offer their own verification services where they can include the verification in the whois information.

If Joerogan.biz doesn't come back with some kind of verification string inside then it's not Joe's domain. That string could be a pubkey and services could allow for either encrypted posting or including an encrypted string that verifys against the domains whois information.

Or that pubkey could be stored as a txt record in the domain.


You do realize that most names are far from unique, right? So what if someone can show that they own john-doe.nation.citizen - you still have no idea if that's the right John Doe. Wanting this identy to persist after death only means there will be even more collisions.


Why would you want your real identity tied to online persona? That doesn’t make a ton of sense.

That kind of thing is sometimes suggested as a solution to reduce online disagreements, but in fact just escalate spitballings to murders and gang wars. Not great, in my opinion.


There’s a ton of people here who use their real name or it is trivial to deduce and I’ve yet to hear of a HN gang war.

What do you mean rust isn’t the best thing since sliced bread? <calls hitman>


There are no free domains without a catch. Your example happens to be "free domain, when you pay us money", which is stretching the definition of free.


> There are no free domains without a catch.

It takes less than 5 minutes to get one.

> Your example happens to be "free domain, when you pay us money", which is stretching the definition of free.

That was just one example, which is what I wrote. There are many others that don't require website hosting. [1][2]

[1] https://www.getfreedomain.name/

[2] https://www.pcmag.com/how-to/how-to-get-a-free-domain-name-f...


I do not understand this. They say repeatedly “free” on the first link you posted but all the links I checked required payment up front and an increased fee for renewal. I’m not certain by what definition that counts as “free”. Maybe it’s free for them after the ad redirect they tried to hide between the registrar link?

Domain registration happens through an established registrar who collects fees. There are no free-as-in-beer top level domains that I’m aware of.

I would love to be wrong, because I own more than a couple domains myself.


You are correct.

You need to be careful, because they are enticing with free and then trying to charge. Free subdomains are easier to obtain, but there are some domains in "off-TLDs" that can be obtained. The list of those changes over time.

Honestly, though, I wouldn't use those for an actual business. The conversation was about how to subvert using domains as identification.


I checked 3 TLDs:

> USD $10 per year might sound like a lot, but how about USD $1 per top-level domain for the first year?! If you manage to gain any sort of traffic in that year, the domain will practically pay for itself!

> Since mid-January 2023, all Freenom-based domains (.tk, .ml, .ga, .cf, .gq) are down and not available

> .free launch dates will be forthcoming.

That’s one weird website with possibly some free subdomains.


Well, that's to some degree affected by the contents of this other article that came on the home page of HN the very next day. [1]

That article describes Facebook having brought suit against freenom for giving out free domains, because they were primarily used by criminals. There will be another free domain provider. There always is. But, this also makes the point that the number and impact of these free domains is huge. Spammers use them to spam, and this is one reason why domains should not be considered to have any gravitas as an auth mechanism for identity.

From that article:

  Freenom is the domain name registry service provider for
  five so-called “country code top level domains”
  (ccTLDs), including .cf for the Central African
  Republic; .ga for Gabon; .gq for Equatorial Guinea;
  .ml for Mali; and .tk for Tokelau.

  Freenom has always waived the registration fees for
  domains in these country-code domains, presumably as a
  way to encourage users to pay for related services, such
  as registering a .com or .net domain, for which Freenom
  does charge a fee.

  On March 3, 2023, social media giant Meta sued Freenom
  in a Northern California court, alleging cybersquatting
  violations and trademark infringement. The lawsuit also
  seeks information about the identities of 20 different
  “John Does” — Freenom customers that Meta says have been
  particularly active in phishing attacks against
  Facebook, Instagram, and WhatsApp users.
and

  “The five ccTLDs to which Freenom provides its services
  are the TLDs of choice for cybercriminals because
  Freenom provides free domain name registration services
  and shields its customers’ identity, even after being
  presented with evidence that the domain names are being
  used for illegal purposes,” the complaint charges. “Even
  after receiving notices of infringement or phishing by
  its customers, Freenom continues to license new
  infringing domain names to those same customers.”
[1] https://krebsonsecurity.com/2023/03/sued-by-meta-freenom-hal...


https://news.gandi.net/en/2017/06/introducing-the-1-111b-cla...

Enjoy number domains on .xyz for dirt cheap


If it's so quick and easy and free, please prove it.


This discussion is about whether domain names can serve as identity not about me proving I can create a domain on the Internet.

However, here is a free subdomain I've done for you. I created http://hnretroid.mooo.com/, added an A record, and pointed it at 209.216.230.240, which is news.ycombinator.com.


You can also look at the article that appeared on the home page here at HN the very next day after this discussion you and I had. The article talks about Facebook suing one of these registrars for giving out free domain names to criminals, even after being shown that their customers were performing criminal activities with the domains. [1]

There will be another free domain service. There always has and always will be, unfortunately. There always will be something to fill that void. In the same way that legitimate actors write legitimate apps, criminals have their own ecosystems on which they rely for their income.

[1] https://krebsonsecurity.com/2023/03/sued-by-meta-freenom-hal...


> nothing but a method of verifying internet presence.

isn't that what it's about? What else do you think of?


Of course not. You are confusing a domain as it normally used with the context of this conversation, where I pointed out that domains are insufficient, because they cannot be used as personal identification.


what is personal identifcation in your eyes?


It's about the attempt to use a domain for personal identification that was discussed in this thread.


no, what does it take and mean to identify someone. In general and on the internet. How do you build trust? A domain is no worse than trusting any arbitrary billion dollar enterprise.


No. It's both different and worse, because you are trusting more parties for auth as well as degrading the trustworthiness in the actual integrity of the credential management by spreading it across the entire network stack in addition to trusting the same billion $ enterprise, anyway.


This was essentially the intent behind the .tel tld—using dns as an identity metadata database. Circa 2008, they did a bunch of podcasts and interviews about uses for the domains, like encryptions schemes for secure messages using keys posted to an individual’s .tel.


I interviewed with .tel around then, and declined an offer after it was clear their plans were wildly unrealistic.

The "identity metadata" bit had already been pushed by multiple registrars for years at that point, as it doesn't require the cooperation of a registry to allow it, and largely gotten abandoned because of lack of user interest.


For a while we had a similar thing, via OpenID. OpenID was wonderfully portable, you could host it yourself, or you could defer to gmail, etc.

However after a period of being used and growing it suddenly disappeared from most of the places I used to see it.


You should check out the Kurer project from GMU researcher Eric Osterweil and his researchers.

https://kurer.daneportal.net/

https://cs.gmu.edu/~eoster/talks/2022-04-27%20Obj%20Sec%20Co...

You probably also want to read up on anything DANE and DNSSEC related if you want to have reliable information storage in the DNS.


Thousands if not tens of thousands of domains expire every hour

How many Gmail accounts expire and then get held hostage with higher renewal fees before going to auction? Oh yeah, zero


Gmail accounts with phone numbers attached get regularly locked permanently with no recourse.


We are talking orders of magnitude difference. Plus this is a much more solvable problem than what I mentioned: domains getting held hostage and then going to auction.


Nostr has beein doing this with Nip05 for a little over a year now. They just use a json file in the .well-known directory of the domain that contains your public key.

https://github.com/nostr-protocol/nips/blob/master/05.md


> Imagine what could be built if everyone used domains as handles / identities.

I imagine Namecheap and GoDaddy getting involved before long.

> Social networks could go hands off for moderation and allow plugable moderation engines that rely on domains for identity, trust, reputation, etc..

How is this materially different from Facebook handing off moderation tasks to Accenture?


> I hope this idea catches on

This already exists with Ethereum Name Service (ENS) https://ens.domains and Sign-in With Ethereum.


I have one of those. When everyone was changing their Twitter (display) names to *.eth I thought there might be a chance Twitter would use ENS for domain validated identities, so I grabbed one that matches a good .com I own.

The ENS stuff is cool, but I hope it doesn’t catch on unless they come up with a way to coexist with ICANN. I think multiple DNS roots would be a net negative no matter what.


ENS has DNS import via TXT Record verification proof, so the entire DNS tree can coexist in ENS trustlessly as long as future ENS-only TLDs are chosen wisely (seems simple: just use 0x80+ Unicode.) For example, try resolving my domain, "raffy.antistupid.com" in ENS.

I believe, the ENS registry only contains "eth" as an rogue node (also "[0-9a-f]{40}.addr.reverse" is used for wallet names). Recently, ".art" started offering tokenized names, where you get both DNS and ENS.


>Imagine what could be built if everyone used domains as handles / identities. Social networks could go hands off for moderation and allow plugable moderation engines that rely on domains for identity, trust, reputation, etc..

Imagine we let people build communities that self moderate instead of imposing a way to moderate and censor.


> Social networks could go hands off for moderation and allow plugable moderation engines

Just imagine the bubbles. Bubbles everywhere.


> Social networks could go hands off for moderation and allow plugable moderation engines that rely on domains for identity, trust, reputation

Every time this has been tried, it's failed miserably, as it should. People need to be able to post anonymously. Otherwise it's too easy to target the messenger, rather than the message. Think journalists, hackers, abuse victims, political dissidents, whistleblowers. Yes, this makes moderation harder. Sorry but that's life.


Domain handles are a feature but not a requirement.


If the social networks don't moderate, or let you opt out of their moderation, and you can opt in to whatever moderation system you want, how would that be any worse than trusting big tech to moderate fairly?


I don't even understand what you're asking here, but it sounds like you're arguing against yourself, so please continue.


>Think journalists, hackers, abuse victims, political dissidents, whistleblowers.

The vast vast majority of people are not those things. Even if you wanted to be anonymous to other people you could still prove your identity to a service and the service could keep that identity hidden.


For anyone that's serious about wanting or needing to anonymously post a public message, I would strongly recommend against this advice.

Part of the strength of your anonymity is based on the cost for anyone trying to figure you out. Centralizing your trust in a service that promises to keep your identity hidden is begging for trouble.

The service doesn't have to be malicious and can genuinely make every effort to keep your identity hidden. Trusting services like that creates choke points where it may not have been viable to attack the service for one identity but for hundreds its worth it.

Theres no such thing as flawless anonymity and you can't escape having some number of trusted parties, but you want to keep that list as low as possible.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: