 Well, it's that time of the week again. It's time for chitchat across the pond. This is episode number 756 for December 17th 2022 and I'm your host Allison Sheridan this week our guest for the last chitchat across the pond of the year is Bart Bouchotte's not with a programming by stealth but with something Maybe a little nerdy not a little nerdy a little bit mixed in so it's gonna be a light episode Yes, I think light works light. Yeah light no light works light works Um, definitely tech though because hey, it is me. That's what I do So I've called it verification twitter and mastodon because the reason I started writing show notes was because I wanted to talk about verification on mastodon But when I pulled on the thread More stuff came loose So it's actually a bigger discussion about the concept of verification How twitter used to do it and how mastodon does it now and why it's different And what's different about okay, and we aren't going to talk politics. We aren't going to talk about nazis We aren't going to talk about the person in charge of anything We are just going to talk about these things what they mean and what we do technically and what we do with it, right? Exactly. Yes, that is a complete point because to me this is an excuse to have a bigger discussion and basically all of this shenanigans has this in our minds and so now is actually an opportunity to have a conversation But what does it actually mean to be verified? Because lots of things say they're verified But when you see that something is verified I am going to make the argument that you need to ask yourself four questions every single time What is the claim being made? What evidence is being offered to support the claim? What checks are compared are performed to compare the evidence to the claim and by who? So think people organizations and software And what's the process for sharing the result of that verification? So, okay, because if you can fake Or if any of those things don't have correct value then the whole thing is meaningless right If the claim being made doesn't mean what you think it means the whole exercise is pointless If the evidence doesn't actually prove the claim the whole exercise is pointless If the checks are done badly wrongly or corruptly No point And if there's no way to actually share the fact that it's been done without it being fakeable Still no point Right, so you actually have to have all four Okay And so it doesn't really matter what it is that's being verified Whatever you see that you have to ask yourself What exactly is the claim being made here, right? So a classic example to me is the padlock on a website There was a time when the media would say look for the padlock and you know you're safe No, no, no, no, no, no, no, no that was never the claim being made by that padlock The only thing that padlock was claiming was that the website you were at is the one in your address bar That's it. That's the sum total of the claim the padlock makes Now you also need evidence down whenever you see Something is verified. So what evidence is the claimant have to provide to back up the claim, right? Verification has to be supported by evidence or it's not verification And the strength of the evidence is vital So to get a basic HTTPS certificate, for example, you need to prove that you control the website By you have a couple of methods. You can upload a special file You can set a special DNS record or you can reply to an email sent to a special address But again, the claim is I own this website The evidence is you have to prove your ownership through one of these mechanisms And then there has to be a rigorous process whereby Someone or something trustworthy actually compares the two things you claim to own this website. You have to provide me with this evidence Does that gel? So again, that just says that there's a Connection between you and that website that you own that website that you were able to put that special file in place But it doesn't say that your website is pure of heart Precisely precisely And then there has to be some sort of way of communicating the fact that all this has happened There has to be a way of actually knowing that that little tick box Is real that the padlock is real that it means something has to be way of actually communicating to you that we have done this work and so That is that that's why there are these four steps, right? What has been claimed? What's the evidence? How is it being checked by who and how are we sharing the result of us having done this work and it's It's a chain So the weakest point of those four is the total strength of the verification. Whatever the thing is you're trying to verify So let's dig into HTTPS in more detail as a good example, right? so When you say HTTPS there is one thing you can be guaranteed as being claimed and that is that the address bar The url in the address bar is the url of the server you are looking at So the web page matches the address bar that claim is universal Every time you see HTTPS So it means that no one Managed to become a machine in the middle and send you to a wrong server by hijacking your dns No one managed to Intercept the connection and stick wrong information in So you know that what you're seeing really is the web page in the address bar. So the url and where you are match Now it um, but what's in the url bar might be giggle not google Correct. So the classic example is absolutely giggle Exactly So if the url bar says not your bank's url, but the web page looks like your bank's url Well, all the padlock means is that you really genuinely are securely communicating with the bad guys Right because the little HTTPS gives you encryption and all that good stuff, but are you are encrypting? truth bad guys So right in order to get your HTTPS cert What's actually had to happen is the owner of the website had to do something called domain control validation or dcv And dcv can be entirely automated, which is why dcv certs can be free That's why let's encrypt can be free because the act of dcv is can be purely automated But if you actually want something stronger, you can actually make a second claim in your HTTPS cert You can buy a cert that doesn't only say The address in the address bar is the website you're really at it has a second claim And the website is owned by this organization called an ov certificate So sometimes when you click on the padlock, it doesn't just tell you the url. It also tells you the company Wait, wait, wait ov you can't throw acronyms out without telling us what they mean organizational organization validation I I said I think I said it a second ago, but let me just be double clear ov is organization validation It means that not only have you proved that you own the server you have proved that You are the company you say you are How would somebody I don't I don't get it. I'm pod feet podcast enterprises How do I prove that I'm a I represent that company? you would have to To get ov is the reason ov certs cost money is because the certificate authority would have to phone you on a number That they were able to get from a recognized directory It's the bins directory of corporations is often used Or and so I do this for work because we're a university. So we are established by law So I have to cite the actual Statute that made the university come into existence And then they go to the university's register and they find the phone number for the university And they have to have the phone that phone number and get through to me Otherwise they will not verify that I am acting on behalf of the university So to get an ov cert is a giant pain in the backside And the verification lasts for one year and then you have to do it all again. So very familiar with ov How did you do that when you couldn't go into the office for three years? Oh, well, thanks to the magic of modern telephony the telephone can come to me Oh, okay. My team my team's client is my telephone number. So if you phone my desk it actually rings Wherever I am the choice of modern telephony and the horribleness of modern telephony that all goes together um So if you click on a certificate sometimes it will actually say the name of the company in the certificate And that is how that is done. That is an ov cert and they cost money Because it involves a human being making phone calls and all those kind of shenanigans And it's a heckin a lot of work. So it actually does cost money to get an ov cert So you're never going to get one of those for free from let's encrypt Okay, so this is this is verifying that a company is Is the company It's verify. Okay. So it's verifying that you really are at the url. You think you are and that url belongs to that organization Okay, really are okay, right pal.com and paypal.com really does belong to paypal link okay Okay, so it's valuable actually like banks and stuff really should have ov certs You should be able to say that this really is bank of america or whatever But most people don't know to click on an ov cert Most people don't click on the padlock to actually see the name of the company. So ov is one of these massive big This should be useful, but actually And there's even a thing called ev which is exactly the same as ov But the level of proof is higher like I don't know why do you have to sell them a kidney or something What's the e stand for? Extended Okay And they used to turn green in the address bar and then all the browsers got together and decided they couldn't be bothered And so it's gone now. So I don't know why anyway Okay So the point is the one claim is definitely the website really is the website and the other optional claim is the organization actually owns that website So how do you prove it? Well, we've already talked about the fact that you can set a special dns record or whatever We've already talked about the fact that there's all these horrible phone calls and things So at that stage we know what's being claimed And what the proof is So how do we actually? Who's doing that verification? Who's doing that work of proving that the claim matches the evidence? Well, that's called a certificate authority so For the cheap certs the certificate authority runs some software And the software does all the work and at the end of the day the certificate authority hands you out the certificate No human involved, but the certificate authority was involved So there's software being run by an organization That software is using an open standard called acme. Believe it or not Obviously, they watch too many cartoons um So there's actually already quite a lot in the trust here, but uh, how do you get to be a certificate authority? Like who gets to be a ca? Well, there's actually the browser manufacturers really have the keys here They decide who is and isn't trusted But they do that in an industry organization where they all get together and they make rules and then Everyone who wants to be a certificate authority has to follow the rules And there's auditors sent out to make sure you follow the rules and if you break the rules You get taken out of the browser And so there's this massive process. So all of this work is going into just that simple claim of this really is my website Okay, and I do know I do know we've had a case of a certificate authority Stopping being trustworthy. I forget what they did wrong But there was one that I remember you told us about that they uh, they did something naughty and it was like nope You're not that anymore Yeah, they issued a um, they issued a government the right to issue certificates Which basically meant that all of the checks were being bypassed Right because the rules are you're supposed to do all of these checks before you give out a certificate But they gave the right to make certificates to someone who wasn't following the rules Therefore they were thrown out Okay, good. Well, that's good. It's good though that that means the system was working as designed Yes, yes, yeah, and then the final so that's three out of the four. So how do we communicate this fact? Well, we use cryptography So what's actually handed to you is a certificate That you install on your web server And that certificate is digitally signed by the certificate authority using their certificate and Their certificates public key is hard coded into your browser So your browser has the key to the certificate authority the certificate authority has the key to your cert And so you have this chain of trust from the browser trust the ca The ca has verified your certificate. Your certificate says you really are you And so that is how it all I miss one part of that made no sense to me you said the uh, the cert is stored locally on my computer so I go to You are the owner of potfeed.com I thought you were talking to the user. Okay, start it over again. Tell me tell me the whole thing again because I thought you were doing an analysis So you want to prove that you own your website, right? You want to prove that you own potfeed.com and I want to have a nice secure padlock So you go to let's encrypt say right and you run their software and their software will do the verification that you The way it actually works is it actually puts a file on your website checks the file And then deletes the file off your website and gives you a certificate So they've actually completely automated the whole proof part as well But they you actually have proven you own the website because they have put a special file there Their server has checked that the file is at the url and then they have issued you the certificate And that certificate is installed onto your server that is hosting potfeed.com Which means that no other server on planet earth can have a padlock and say potfeed.com Okay, okay And that certificate has been digitally signed by let's encrypt And let's encrypt certificate is stored in your browser. So your browser knows let's encrypt Wait, am I still potfeed.com? Am I still allison? Let's okay. Let's change that Allister just to confuse things Or no, actually, let's go with someone who doesn't have an a initial. Sorry allister helma goes to visit potfeed.com Helma's browser trusts let's encrypt because let's encrypt have not broken the rules They are still in the good books. So the browser has let's encrypt root certificate Let's encrypt signed your certificate. Therefore your browser trusts Your certificate. Sorry helma's browser trusts potfeed certificate Okay, right. So it's called the chain of trust. So Notice how much work has gone into the simple Proof that this website really is the website that says it that is how hard Verification is for it to be a trustworthy thing where every link in the chain is strong What's the claim clearly defined? How is it proven clearly defined? Who's doing the work clearly defined and audited? How is it shared the cryptography clearly defined? So each of the four steps is really clearly defined and auditable and checkable And so everyone can trust it Therefore billions of dollars Can flow across that system every year That is what it takes to make the internet work That is exactly the same on twitter and mastanon, right? That is the gold standard if they could approach The but no, all right, so let's ask the same questions. Let's take let's show up at a time machine way back machine We are now back in last february, say or frankly any time before the summer So there was a thing where you could get a blue check mark on twitter So what was the claim that blue check mark made? The claim was that the human being or organization The account claimed to be really was controlling the account. So if the account was say POTUS president united's not sorry to try to avoid politics if the account was Neil deGrasse Tyson, I'm sure you have to do take If the account was Neil deGrasse Tyson and that twitter account really was the human being Neil deGrasse Tyson and that was the claim The verification was trust us Twitter basically said we have done the work to figure out that this guy really is Neil deGrasse Tyson trust us Now there was no reason not to so we were fine with that How they did the work Blackbar, we don't know they didn't tell But they did And there seemed to be something to it There seemed to be some sort of process it not everybody who should have gotten it got it And not everybody who got it maybe should have gotten it But it appeared that the people who got it in the organizations that got it actually were who they said they were I never heard anything about people Who weren't those people getting it Correct. Exactly. That's it. That's it perfectly described every every blue tick was correct But the logic between who got them was I never didn't understand But it was correct, right, but it was a status symbol more than anything else Kind of was to be honest. Yeah, because because they were so rare And then the method of communication is simply because twitter owned the full platform They could communicate it by simply putting an icon next to the name Right because they control all of the bits and bobs So the only thing they had to do to attest to it was to put the icon on the account So that's all four parts ticked off now As long as twitter were trustworthy that actually worked quite well And we had no reason to doubt it and like you said There's never been a case that someone got the blue tick mark. We shouldn't have that we're aware of so The meaning of the assertion is what changed when elan decided to I mean, I don't know what it is today or what it will be tomorrow. The point is The claim has become a moving target So already our chain is pretty weak Because what does it mean to have the tick? Well, for a while, it just meant you gave eight dollars It's not actually an assertion of anything of any importance whatsoever This is a person with eight dollars as the total sum of the claim that was made by the blue tick mark for a while And that was proven by people paying eight dollars and becoming shown with a blue tick as somebody they weren't Now I tried to ask elan musk and there were so many fake elan musk with blue ticks. I never did succeed That's how bad it is. Hilarity ensued is what I would say Yes, that is the perfect phrase depending on your perspective Yeah, so what was the evidence being asked for? Well, there wasn't any what was the checks being done? There weren't any what was the method of communication? Yeah, they put up a blue tick So the checks were being done checks for eight dollars Yeah, and checks with the other spelling too Right, so it pretty much fell apart So everyone's going over to masted on and people want their Given how much talk there's been about blue tick marks people want their masted on equivalent of the blue tick mark Well, is there an exact analog before you jump into that style? Okay, before you jump into that I don't I don't feel like we put a complete bow on twitter yet I think you said a little bit of it, but we just don't know what the current system is. There is a system now though Well, I said launch share or is it announced? I thought um It was announced, uh How would I search for that to announce? There was an announcement that there was going to be an announcement and then there was an announcement But hasn't actually got into production. I haven't been harangued in my twitter client to hand over eight dollars Okay, I'm sure I'll be advertised that eligibility, yeah, there is a there is a site help.twitter.com slash verify. I think oh twitter verified accounts, uh eligibility Uh, you have to be subscribed to twitter blue. So you have to pay your eight dollars. Um, you have to be in active use non deceptive Loss of the account the whims of people. Uh, yeah, I don't know whether it's, uh Yeah, come in or go on. Yeah Yeah, I I don't know what it is, but I don't know that it doesn't exist So it may or may not exist by the time people hear this Yeah, that's why I went for influx in the show notes is my wording Okay, so if you see a blue checkmark in twitter Check your calendar It just made a shrugged in the camera if you couldn't if you couldn't hear that I don't know how best to articulate that my feelings on that. I was like Okay, okay. All right. So now moving to mastodon So moving to mastodon the question is obviously well, what's the equivalent of this blue tick that's caused all this kerfuffle, right? We're all moving to this alternative. So what happens are blue ticks? well Mastodon is very very different in its whole conception to twitter, right twitter is One website operated by one company who have complete authority over it So the concept of verification is very obvious. There is there is a central authority Twitter is the central authority of twitter Well mastodon being a federated system There is no obvious central point of authority To take on the role of being a verifier So that's not what mastodon does However, there are actually depending on how you choose to count. There are There's one official type of verification. There's a second Piggybacked type of authentication and there's a third Emerging pseudo kind of verification So there's actually three different types of verification that I think are worth discussing Well, we'll start with we'll stay on the straight and narrow So if you read twitter's documentation and you look for the section of verification twitter's documentation will describe The simplest and easiest to do form of verification So Are you they do not hang on part? Are you meaning to say twitter? Nope, I mean exam mastodon. Okay, so start that sense over Okay, sorry about that. I thought we switched gears again and I was like, I don't follow Okay, yeah, so there's no central authority at mastodon, but it's federated and And therefore there's no one to give you a blue tick that says you are you Well, we have something else the official documentation for mastodon If you read it tells you that you can verify the links in your profile So you get to have four links in your profile or zero to four depending on how many you want to fill in And they can turn green when they have been Verified so What is the claim there the claim is that the person who controls this mastodon account Is the same person who controls that website? So it is a linkage between the mastodon account and the website so the level of Trust you have in that linkage is down to how believable the website is So if there's someone claiming to be a journalist for the new york times And their link in their mastodon profile is to their Author page on the new york times website and it's turned green That is a really meaningful verified link So what it does say is that at this moment in time You have control over the content on that url Yes, that is the exact claiming doesn't say that I mean because I could get hacked and you could have And you could have gotten into podfee.com and claimed you're in charge of podfee.com In fact, you have the ability to change podfee.com and say it's yours. Yes, I am an administrator That is entirely correct. Yes. I have because when you go on holidays and alistair could too. We could all become you I do have some questions about that, but let's keep going right so the level of So the actual claim is simply that this website is this mastodon account So this website is actually really important because it's kind of up to you to decide if you think that is actually a meaningful verification Right. Okay. This mastodon account is really connected to that website. Do I care? So like I say if that is a link to an author page on a major publication, that's very meaningful If that's a link to a profile page on a government website saying this is the minister for finance That's very meaningful if it's a random blog by Mr. Interesting person Well, okay It's the same interesting person, but it hasn't told you that much information. So Bear in mind that all you're getting is a connection between the url and the mastodon account right, but if the person who's Trying who's trying to get verified is verifying that they are this interesting person with this interesting blog It doesn't matter whether they're cnn or the white house. It just matters that they're who they say they are Correct. But the thing is if someone says to you that the their mastodon account is verified as them You have to say no The only thing verified is the link Right mastodon does not claim to verify the person Oh, right. Right. So verified the person. So it's different. I'm underlining the difference. Got you got you got you So if you were to uh Verify that pod fee dot com is yours. It doesn't say that you're bart boo shots It says that you have current control over pod fee dot com says nothing about you being bart or allison Exactly, exactly. Whereas the old style twitter verification verified the human being Nothing unmasked it on verifies the human being okay So that is the official and it's really easy to do because it's actually a very simple claim to make right You're just connecting two things together So in order for you to provide evidence for this claim All you have to do is put a link onto the url You're saying is yours that links back to your mastodon account and that follows two very simple rules The url has to be htps Which means you're actually piggybacking on all of that wonderful crypto and stuff that we've talked about earlier Right, so you're actually just kind of nicely you're piggybacking off the whole htps systems It actually means that that website has a little bit of stuff going for it. It is real right they can't you you can't basically Manipulate things by taking over a website that isn't secured Right, it would be much easier to do a man in the middle attack Or whatever to fake the verification if it wasn't htps. So that's just good Very simple thing to do you say must be htps It's actually very clever of them to do that and what surprised the open source community come up with that And then the only other rule is that the page at the other end of the url has to contain either a visible or an invisible link back to the mastodon profile with an rel attribute a rel stands for relationship And the value of the relationship is me So rel equals me so the relationship between the owner of this website and the destination of this link is that they are both Me in other words, I am claiming my mastodon account Because this is code on your website Yeah, so here's here's a question. Um, steve writes for podvi.com Can I have two rel equals me? One for steve and one for me on my website Yeah, absolutely absolutely because it's not saying is this the only rel equals me It's just checking. Is there a one? Okay, we're having some some uh lag on the internet's here. So i'm not quite sure what you just said Yeah, I'll say that again Yeah, so it's not a one-to-one mapping right the question is just Is there is a relationship between this website and this mastodon account? One website can be related to multiple mastodon accounts One mastodon account can be related to multiple websites So you could have multiple links on the page that says rel equals me to steve's account rel equals me to your account Rel equals me to my account if you want to let me claim ownership of something, right? It doesn't matter as long as there is one to that account. It's happy That would also suggest you could have several Uh URLs So you could have barb Whatever it is barb dot ie and let's dash talk dot ie you could have them both verified as you I could because your mastodon profile has up to four so you could have up to four tick mark Yeah, so in in the show notes, you said that it has to be uh in the uh an a tag in the page's body or an invisible link In the page's head. That's not correct. You can do it in the footer Which is where I was actually instructed to do it So not just okay footer Right the link tag belongs in the head to be a valid piece of html So link rel equals Belongs in the head it may it may work for mastodon validation, but it's invalid html and an a tag has to go somewhere inside the body A footer is in the body of your webpage So I put the URL they told me to put in I put it in the footer And it okay, but the footer is in the body the footer is in the body. Is it visible on the page? Okay, you said it had to be in the head. Okay. Oh because it's visible It has to be in the body in the footer's part of the body Yeah, everything that so your webpage at its lowest level has a bunch of headers that are invisible and the content head and body Your content contains a head ur A page body and a foot ur, but they're all in the body tie right if you view source everything is in the body Okay, so if I was uh to be creating a an html page by hand I would know that I would have Would not have asked that question the way I work in wordpress I have a theme and the theme has a nice little gooey and it says where do you want to put this and I Push a button that said footer. So when I saw a head I was like it wasn't in the header It was in the footer now. I see what you're saying. Okay Um, so to put a link in the body, where where in the body would you put it? anywhere Anywhere is not an answer in today's blog post Yeah, as long as when you go to the url And you do a control f on the page you find it then it is there Wait a minute. The link is invisible I wouldn't find the invisible link goes in the head section So that is in the source code. So if you do a view source, you'll see it, you know head title equal title All that stuff will be in the head. Okay, so I'd have to find it. Okay Okay, so mine is visible at the bottom of my uh webpage and I just wrote it follow me on mastodon is what the link goes to Yeah, because there can be any text right between the opening and closing link tag can be any text That's not part of the spec all it says is that the url has to be to your mastodon profile And it has to say rel equals me Okay, you're actually very okay to mess around with it. Okay. So with all that faffing about explaining that what we have said is that Putting this text on your website verifies that you have control over that website Yeah, and it connects together the website of the mastodon account and that's it. That's all there is to it Because the claim is so simple So whether you run your own website or not if you're just looking and you see somebody says they own bart me dot me That just says they have control of bart me dot me It doesn't say they're bart Correct. I wonder if that site exists. I may now have to go register that the other thing I did some testing because I was not because my website redirects So if you go to bartb.ie you get redirected to bartbushas.ie So I added two links to my profile one to the final resting url Where you end up after all the redirects and one to bartb.ie and they both turned green So verification will follow redirects Okay, it's nice to know because a lot of people have a shorter nice Url that then redirects them to a longer url. So that's good to know that works One really fun of the way I name my website, but it's only seven characters. So Yes, yes Um, one annoying caveat is that validation happens when the server feels like it So your instance is running a cron job every n minutes that it does whatever background work It has to do or one of those background tasks is do all the verifications that are outstanding So it will happen when your instance feels like doing it And so you'll hit save and nothing will turn green and you'll think you've done it wrong Walk away just go away do something else and come back in some vague amount of time and it will have turned green Or it won't in which case you have to try again So it took me three days to get mine working and I'm not entirely sure what did it in the end because well I don't know how long I was supposed to wait. Maybe I had it right all along. Maybe there was never a problem I don't know. Did you fiddle with it? Of course I fiddled with it because these show notes were coming up and I wasn't working yet and I was fiddling, you know I actually put it in two places. So I'm not sure whether it's working. I don't know which one fixed it I have it in the head and in the body. So well, what the hey I have one. Uh, oh, where is it? Oh, I created a uh, uh, a button that says, uh, follow me on mastodon on podfee.com I think if I remember correctly, this was a few weeks ago now because I went and looked on your website to see how See if I was doing something silly. I said, well, Alison's works. Alison's is green. How did she do it? So I don't know whether that one's actually functioning. I think that one probably isn't it was a little bit weird But if you look at the very bottom, it says follow me on mastodon and that is the uh, that is actually the rel equals me for that one Yeah, because the other one has a rel equals quote equals rel me or something. There's something a little weird going on Yeah, it was part of a Little box. I'm stuck in in my theme and stuff. So I was just kind of flailing around going well throw it in there and then later on I thought well, I'm not sure that's gonna work. So let me put it in the footer. So I don't know why it works But I have me a blue check mark And it just has to be one of the links has to be correct. So blue check mark You know, you have a green check mark not a blue one or green. Sorry green Happier color So that is the official type of verification connect your mastodon profile to your website Some very clever and very nerdy people Realize that if a url can be verified then with a little bit of writing up a spec You can verify a cryptographic public key Because what you do is you use a service called key oxides To link your public key to a url And then you connect that url to your profile and there your public key is connected to your profile Okay, 100% lost you no idea what you're talking about start over Imagine you're a person who wants to do encryption using using public key cryptography You might be a journalist Who is hoping someone will leak them some sensitive data. So you need to publish your public key To anyone who wants to send you information completely secretly Okay, they can encrypt with your public key and the only person on planet earth you can decrypt It is the person with your private key Now if i'm a leaker And I want to send you information I need to have some confidence that i'm using the right public key Because if the fbi snuck me their public key instead of your public key I would be in deep doo doo Being able to link the public key to the mastodon account I now know that I really am talking to that mastodon user when I use that public key to encrypt Okay, so how do you do that now? I understand the the reason to do it So there's a web. There's a web service that's open source called key oxide And they provide a way of publishing your public key at a url That will also include a mastodon link in the url So it's a web page that has two pieces of information The public key and the mastodon url So it will turn green when linked in mastodon and it will contain the public key I feel like i'm just being real slow Bart. I didn't follow that Key Oxide magically says these two things get to go together, but how do they how do they verify that? Okay, you as the person who wants to publish your key set up a key oxide account And you on your key oxide profile publish two pieces of information You're a mastodon url and your public key Okay Now that mastodon url Why can't I take my mastodon url and your public key? Because your public key is publicly available So I can take Bart's and attach it to my my mastodon url Okay, what could a public key if you don't have the matching private key? It isn't but I could do it I don't see what but I don't see what key oxides doing then if it's not there's no verification But there's no way to put your public key on your mastodon profile without some website in between The problem to be solved is to get your public key onto your mastodon account This is a website to help you do that using mastodon's ability to verify your url But I thought I needed control of that website and I don't have control of key oxide You have control of your profile page on key oxide Okay, so it's a profile page So you will set yourself up on key oxide with a profile that has a url That's just for you that has two pieces of information You're a mastodon url with a rel equals me and your public key You then take that url for key oxide forward slash pod fee And you put that into your mastodon account as one of your four links. It will turn green Okay, because it's going to go to key oxide it to the url. I gave it and it's going to find the rel equals me Yes Therefore when someone goes to your mastodon page, you're going to see one of your links is going to say gpg It's going to be green And it's going to be a link where they click on it and they get your public key So that is now connected those two pieces of information together Using verification So again, it's you know, it's not something most of us have to do But if you're interested in sharing public keys, it's really nice. You're able to connect your public key to your mastodon account And is that something you're going to do? I don't know because I don't I believe the concept of gpg is nuts I believe in the key I believe in the public key infrastructure if I need a certificate. I will buy a certificate from a certificate authority So I'll use s-mime not gpg, but I am not a journalist Okay, so you just think this does exist. Okay. All right. People are very passionate about it. Okay The other thing then which I think is really cool is a side effect of mastodon's federated nature So your username on mastodon is at something at some where The at some where is a domain name, right? So if you are say the white house, you could run a mastodon server at potus at white house dot gov So at white house dot gov could be the server or the instance. Sorry. I keep on saying server. I mean instance But that actually means that only the white house could have set that up So if the white house say and only people who work here get accounts here That anyone's username that ends in that white house at gov must actually be at the white house So I'm glad you picked the white house as a as an example because There is an account if you search for white the white house on mastodon You will find one called the white house. It has a big green check mark and it's pointing to at white house at mastodon dot cloud So that's not at White house dot gov therefore not well, but but Let me just tell you what's on it. It's it's a banner photo of a different president Of course, okay. So this is not this is not This is definitely not the white house But that that check mark Tells me that whoever created this account owned a domain that they said was theirs But it's but just looking at it up front. It doesn't tell you what domain that was What does because the link goes somewhere. So where does it go? That's why I just said just looking at at the screen check mark. It does not say anything about where it goes You have to go into it Uh, I'm not even sure how to go into it Yeah, no, I I don't see even have a green link or do have they just put an emoji of a check mark. They might have put an emoji in Yeah, that's probably what that is what it is. You're right. That's an emoji. So There is an example of because the actual signal is when you go to the profile the links turn green It's not at the end of your username. It's the links in your profile So if you if I click on if I click on your icon I get to see your profile and your profile has a link to podfee.com and the link to podfee.com is green If you go to my profile, you should see two links that are both green and my github link. That isn't green yet I haven't figured that out yet Oh, that's interesting. You can do your Well, I can do if I your github. Yeah, except for the fact that github strip out the rail So I need to do a little more figuring out there Okay, okay I'm I'm really curious here because the client I'm using doesn't even doesn't appear to let me go in and see The the actually not let me look for you Sorry if you're doing this real time, but I'm really curious why I'm not able to I'm not even looking What what are you on twitter again? Uh at b b b b at my student with novells. Well, trust me with your spelling There's not two of you and we don't have to worry about that. Okay Okay, so when I go into yours, that's the difference. So when I go into yours, I see the I see website home page and github and I see green check marks and green URLs for your your website and your home page that fake white house doesn't have any URLs Yeah Did there yeah, so this came up because a friend of mine said look I'm following the white house on on on Mastodon I looked over it and I said no, you're not But it wasn't this one. It was a different white house that wasn't the white house Yeah, so What so what I'm talking about here is the the after the second at is the server And you can't fake the server Right, so the server they could have white house on Mastodon dot social that would be I know Unlikely of them, but they could Right, so that's not what I'm saying what I'm saying is if the bit after the second at is something of value It really is something of value What are you defining as something of value? I don't know what you mean if it is a domain name that has a meaning So the two examples are that the european parliament Have a mastodon server at EU at parliament at EU or I can't remember the exact URL But at the at their actual domain name, okay And the german government have set one up at the actual domain name for the actual german government You can't fake the bit after the second at So if it is something that is real it is real Okay, so okay That actually is a way of adding real verification So the european parliament have said we will not give mastodon accounts to anyone who is not actually with the european parliament So every mastodon handle that ends with at european parliament dot whatever it is Really is someone connected to the european parliament the german government have said a We want all officials to use the official mastodon and be Only Authorized people are allowed on to the official mastodon Don't don't say official mastodon That that's official german government mastodon instance Thank you instance There's not an official mastodon fair fair fair fair very fair um I think an example that people could uh, everyone here could probably uh connect to is federico vitici is uh officially moved To mastodon not not staggering back and forth, but moved and his uh his handle is at uh vitici dot net Now there we go. You know he's feder instance. That's an example. Yeah Yeah, and another example is that leo laporte is offering his listeners who subscribe to his membership do doohickey at twist.tv mastodon accounts Yeah, he was and I I'm actually a member there and uh, he got too big and he had to stop letting people in And it was right after shortly after I had uh, I had joined his member program, but uh, I think it is No, I didn't end up asking I it doesn't really matter No Well, it's kind of nice though because only people who are actually in his clubhouse can have his Can have accounts at twit.tv. So there is you know, again, it's an example of It tells you something right because if you have a twitter tv account you are actually a listener Right, right. Uh, let me correct myself. It's vitici at macstories.net. I said vitici dot net Perfect. Yes. Vitici at macstories.net. He doesn't have a green chat mark though But like I say the actual second domain name you can only be at that domain name if you if they let you in So if that domain name belongs to an organization then that organization let you in so it is actually That second that is very valuable So you're saying to create an instance with at macstories.net you have to own macstories.net It's a dns name. Yeah, that's how that's how the traffic gets routed to the instance Okay, it's dns. So you actually genuinely have to own the domain Cool, it's just like an email address at potfee.com has to be at your mail server So if you run your own mastodon instance, it would have to be on your domain Then you would have to set the dns record. So it really would be you I am not even vaguely interested but you know, I call Right, right You know if people are doubting whether This is actually going to be a thing on on mastodon. I didn't make any bet that it is really going to be a thing but a Journalist one of the ones who got banned recently said that when he first got banned he had 1200 listener readers on mastodon And by the time they were interviewing him about it, which is what two three days later. He has 20,000 Wow The other thing I see it really do the place I see it really taking off is in european governments like germany Where there's a strong open source ethos at the government level so They have a very strong ethos for using open source software for government applications and for things that involve the public And so they're very keen to see something that isn't controlled by any specific company take off. So The fact that they've spun up their own mastodon instance means they're really serious about this and I would say it will become an important communication mechanism for some european government Interesting. Yeah, I like I said, I wouldn't have bet that this was going to be the thing but I it may have legs it may have legs. It's uh, yeah, it's it's maybe not flying yet But it's a big elephant. It's tromping through the jungle Although if dumbo was don't mean anything it could fly one day. There you go Anyway, so that is that is my it all came out because I wanted to figure out how to make my links turn green and Ended up being a big discussion on what it means to be verified in the abstract sense But I think it's a good conversation to have because I think whenever you see someone claiming Well, I'm a verified blubber blubber. I always ask what's the claim? What's the evidence who did the checking and how am I sure it's really true Yeah, and I asked Bart before he started this. I said, I don't understand how you're going to make a whole conversation about this for 48 minutes. I I said, uh, you know, I copied the link they told me to put at the bottom of my website and I was done And and he said, yeah, well, there's a little more to the conversation I thought those are really interesting to help us make sure we keep thinking About what that verification means and what's behind it Yeah, yeah, and it's important all over the place not just on social media It's just an idea that I think it's important people have in their heads I I did promise you between 45 minutes and an hour. So yes, you did Exactly right Well, I hope you have a great happy holiday and I appreciate you jumping in and giving us one last show before the end of the year I was it was literally my absolute pressure today Is the first day of my annual leave for the christmas period? I'm finished work for the year I'm done. I saved up my annual leave to have it all to take at the end of the year for me 2022 is now purely fun So I'm happy holiday mood. So, uh, definitely want to wish everyone lots of what is it I said to my colleagues, um Joyous delicious and peaceful holidays. That's what I want everyone to have delicious is really important. I took that in the middle All right, I think there's no better ending. Thanks a lot for coming on Bart It was my pleasure. I remember do remember to have lots of happy computing have to end on that. Sorry I hope you enjoyed this episode of cha-chat across the pond Did you notice there weren't any ads in the show? That's because this show is not ad supported It's supported by you If you learned something or maybe you were just entertained Consider contributing to the pod feet podcast You can do that by going over to pod feet dot com and look for the big red button that says support the show When you click that button, you're going to find different ways to contribute If you like to do a one-time donation, you can click the paypal button If you want to make a recurring contribution click the weekly patreon button Or another way to contribute is to record a listener contribution It's a great way to help the no-silla cast ways learn from you If you want to contact me for any reason you can email me at alison at pod feet dot com And you can follow me on twitter at pod feet Maybe you want to talk to other no-silla cast ways you can do that in our slack group at pod feet dot com slash slack Thanks for listening and stay subscribed