Identity verification on Mastodon

Orde Saunders' avatarPublished: by Orde Saunders

Whilst discussing Mastodon with Ben Seven he was asking about account verification: if someone were to sign up to an instance with the username @decadecity how would he know if I'm the real @decadecity not one of all the other @decadecites who are just imitating.

The solution I've come up with is to use Keybase to sign a toot with my GPG key:

This is signed with the same key used to sign my emails and my Git commits. It's also the same account that's linked as rel="me" in the footer of my website.

In the same way, I know that the John Sutherland I'm following on Mastodon is the same one who has committed to some of the code bases I've worked on with him because he's also verified his identity with a signed toot:

Laura Kalbag has taken a different approach - she's running her own Mastodon instance on her own domain. This means that as I trust Laura owns her domain I can trust that the account on that instance is really her.

This second approach is what I'd advise brands organisations to adopt: much like a name@company.tld email address, an account like @name@mastodon.company.tld is the ideal signifier that you are dealing with someone who's views represent their employer's, not their own. (RT's may, or may not, be endorsements - that issue is still being hotly debated by some of the world's preeminent legal minds.)

Admittedly both of these solutions require an above average degree of technical literacy but we're still in the stage where those of us who are early adopters are figuring out how we solve these kind of problems.


Liked:

  • Laura Kalbag
  • John S

Comments, suggestions, corrections? Reply to this post on Twitter.