Ccatp_2022_12_17

2021, Allison Sheridan
Chit Chat Across the Pond
https://podfeet.com

Edit Transcript Remove Highlighting Add Audio File
Export... ?

Transcript

[0:00] Music.

[0:08] Well, it's that time of the week again. It's time for Chit Chat Across the Pond. This is episode number 756 for December 17th, 2022. And I'm your host, Alison Sheridan. This,
week our guest for the last Chit Chat Across the Pond of the year is Bart Bouchats, not with a programming by stealth, but with something maybe a little nerdy, not a little nerdy, a little bit mixed in. So it's going to be a light episode.
Yes. I think light works. Light. Yeah, light. No, light works. Light works. Definitely tech because hey, it is me. That's what I do.

[0:40] So I've called it Verification Twitter and Mastodon because the reason I started writing show notes was because I wanted to talk about verification and Mastodon.
But when I pulled on the thread, more stuff came loose.
So it's actually a bigger discussion about the concept of verification, how Twitter used to do it and how Mastodon does it now and why it's different and what's what's different about it. Okay. And we aren't going to talk politics.
We aren't going to talk about Nazis. We aren't going to talk about the person in charge of anything. We are just going to talk about these things, what they mean and what we do technically and what we do with it. Right?
Exactly. Yes, that is completely the point. Because to me, this is an excuse to have a bigger discussion. And basically all of this shenanigans has this in our minds. And so now is actually an opportunity to have a conversation.
But what does it actually mean to be verified?
Because lots of things say they're verified.
When you see that something is verified, I am going to make the argument that you need to ask yourself four questions every single time. What is the claim being made?
What evidence is being offered to support the claim?

[1:52] What checks are performed to compare the evidence to the claim and by who? So think people, organisations and software.
And what's the process for sharing the result of that verification?
So, okay, because if you can fake, or if any of those things don't have correct value, then the whole thing is meaningless.
Right?

[2:15] If the claim being made doesn't mean what you think it means, the whole exercise is pointless. If the evidence doesn't actually prove the claim, the whole exercise is pointless. If the checks are done badly, wrongly or corruptly, no point.
And if there's no way to actually share the fact that it's been done without it being fakeable, still no point.
So you actually have to have all four. Okay.
And so it doesn't really matter what it is that's being verified. Whenever you see that, you have to ask yourself what exactly is the claim being made here?
So a classic example to me is the padlock on a website.
There was a time when the media would say, look for the padlock and you know you're safe. No.
No, no, no, no, no, no, no, that was never the claim being made by that padlock.
The only thing that padlock was claiming was that the website you were at is the one in your address bar. That's it, that's the sum total of the claim the padlock makes.

[3:17] Now, you also need evidence now whenever you see something is verified. So what evidence does the claimant have to provide to back up the claim? Verification has to be supported by evidence or it's not verification.
The strength of the evidence is vital.
So to get a basic HTTPS certificate, for example, you need to prove that you control the website by a couple of methods. You can upload a special file, you can set a special DNS record, or you can reply to to an email sent to a special address.

[3:50] Again the claim is i own this website the evidence is you have to prove your ownership to one of these mechanisms. And then there has to be a rigorous process whereby someone or something trustworthy actually compares the two things you claim to own this website you have to provide me with this evidence.
Does that gel. So again, that just says that there's a connection between you and that website, that you own that website, that you were able to put that special file in place, but it doesn't say that your website is pure of heart. Precisely.
And then there has to be some sort of way of communicating the fact that all this has happened.
Has a way of actually knowing that the little tick box is real that the padlock is real that it means something has to be actually communicating to you that we have done this work.
And so that is that that's why there are these four steps right to the what is being claimed what's the evidence how is it being checked by who and how are we sharing the results of us having done this work and it's. It's a chain. So the weakest point of those four is the total strength of the verification. Whatever the thing is you're trying to verify.
So let's dig into HTTPS in more detail as a good example, right? So.

[5:11] When you say HTTPS, there is one thing you can be guaranteed as being claimed and that is that the address bar, the URL in the address bar, is the URL of the server you are looking at. So the web page matches the address bar. That claim is universal every time you see HTTPS.
So it means that no one managed to become a machine in the middle and send you to a wrong server by hijacking your DNS.
No one managed to intercept the connection and stick wrong information in.
So you know that what you're seeing really is the webpage in the address bar. So the URL and where you are match.
Now, but what's in the URL bar might be Giegel, not Google.
Correct. So the classic example is absolutely Giegel. Exactly.
So if the URL bar says not your bank's URL, but the webpage looks like your bank's URL, well, all the padlock means is that you really genuinely are securely communicating with the bad guys.

[6:12] Because the little HTTPS gives you encryption and all that good stuff, but you were encrypting, true to bad guys.
So in order to get your HTTPS cert, what's actually had to happen is the owner of the website had to do something called Domain Control Validation or DCV.
And DCV can be entirely automated, which is why DCV certs can be free. That's why Let's Encrypt can be free.
Because the act of DCV can be purely automated.
If you actually want something stronger you can actually make a second claim in your HTTPS. You can buy a search that doesn't only say the address in the address bar is website you really had a second claim.
And the website is owned by this organization. Call an ovi certificate.
Sometimes you click on the padlock it doesn't just tell you the URL it also tells you the company.
Wait wait wait wait ovi you can't track himself without test what they mean organizational organization validation.
I said, I think I said it a second ago, but let me just be double clear. OV is organization validation. It means that not only have you proved that you own the server, you have proved that you are the company you say you are.

[7:21] How would somebody, I don't, I don't get it. I'm pod feed, podcast enterprises.
How do I prove that I'm a co I represent that company?
You would have to, to get OV is the reason OV certs cost money. cost money is because the certificate authority would have to phone you on a number that they were able to get from a recognized directory.
It's the bins directory of corporations is often used or in the, so I do this for work because we're a university. So we are established by law.
So I have to cite the actual statute that made the university come into existence. And then they go to the university's register and they find the phone number for the university and they have to have the phone, not phone number and get through to me.
They will not verify that I am acting on behalf of the university.
So to get an OV certificate is a giant pain in the backside and the verification lasts for one year and then you have to do it all again. So I'm very familiar with OV.
How did you do that when you couldn't go into the office for three years?
Oh, well, thanks to the magic of modern telephony, the telephone can come to me. My team's client is my telephone number.
If you phone my desk, it actually rings wherever I am. choice of modern telephony and the horribleness of modern telephony.
We'll go through this together.

[8:37] So if you click on a certificate, sometimes it will actually say the name of the company in the certificate. And that is how that is done. That is an OV cert and they cost money because it involves a human being making phone calls and all this kind of shenanigans.
And it's a hecking lot of work. So it actually does cost money to get an OV cert. So you're never going to get one of those for free from Let's Encrypt.
Okay. So this is this is verifying that a company is the company.
It's verifying that you really are at the URL you think you are and that URL belongs to that organization.

[9:14] You really are at PayPal.com and PayPal.com really does belong to PayPal. Okay. Okay.

[9:21] So it's valuable actually. Like banks and stuff really should have OV certs. You should be able to say this really is Bank of America or whatever.
But most people don't know to click on an OV cert. people don't click on the padlock to actually see the name of the company. So OV is one of these massive big, this should be useful, but actually.

[9:41] And there's even a thing called EV, which is exactly the same as OV, but the level of proof is higher. Like, I don't know, why do you have to sell them a kidney or something?
What's the E stand for?
Extended.
Okay. And they used to turn green in the address bar and then all the browsers got together and decided they couldn't be bothered. And so it's gone now. So I don't know why. Anyway. Okay.
So the point is the one claim is definitely the website really is the website. And the other optional claim is the organization actually owns that website.
So how do you prove it? Well, we've already talked about the fact that you can set a special DNS record or whatever. We've already talked about the fact that there's all these horrible phone calls and things.

[10:21] So at that stage we know what's being claimed and what the proof is. So how do we actually...
Who's doing that verification? Who's doing that work of proving that the claim matches the evidence? Well that's called a certificate authority.
So for the cheap certs, the certificate authority runs some software. The software does all the work and at the end of the day the certificate authority hands you out the certificate.
No human involved. But the certificate authority was involved. was involved. So there's software being run by an organization that software is using an open standard called ACME, believe it or not. Obviously they watch too many cartoons.
So there's actually already quite a lot in the trust here, but how do you get to be a certificate authority? Like who gets to be a CA? Well, there's actually the browser manufacturers
really have the keys here. They decide who is and isn't trusted. But they do that in an industry organization where they all get together and they make rules. And then everyone
who wants to be a server authority has to follow the rules. And there's auditors sent out to make sure you follow the rules. And if you break the rules, you get taken out of the browser. And so there's this massive process. So all of this work has gone into to just that simple claim of this really is my website.

[11:40] Okay, and I do know we've had a case of a certificate authority stopping being trustworthy. I forget what they did wrong, but there was one that I remember you told us about that they did something naughty and it was like, nope, you're not that anymore.
Yeah, they issued a government the right to issue certificates, which basically meant that all of the checks were being bypassed. Because the rules are you're supposed to do all of these checks before you give out a certificate, but they gave the right to make certificates to someone who wasn't following the rules.
Therefore they were thrown out.
Okay, good. Well, it's good though that that means the system was working as designed.
Yes, yes. And then the final, so that's three out of the four. So how do we communicate this fact? Well, we use cryptography.
So what's actually handed to you is a certificate that you install on your web server. And that certificate is digitally signed by the certificate authority,
Using their certificates and their certificates public key is hard coded into your browser.
Your browser has the key to the certificate authority the certificate authority has the key to your search. See if this chain of trust from the browser trust the CA CA has verified your certificate your certificate says you really are you.
That is how it all one part that made no sense to me you said the the. So, the cert is stored locally on my computer.
So I go to...

[13:09] You are the owner of podfeed.com have installed the cert on podfeed.com. I thought you were talking to the user.
Okay. Start it over again. Tell me, tell me the whole thing again. Because I thought you were talking to Alison. So you want to prove that you own your website, right? You want to prove that you own podfeed.com. I want to have a nice secure padlock.
So you go to Let's Encrypt, say, right? And you run their software and their software will do the verification that you...
The way it actually works is it actually puts a file on your website, checks the file and then deletes the file off your website and gives you a certificate.
So they've actually completely automated the whole proof part as well.
Okay. You actually have proven you own the website because they have put a special file there. Their server has checked that the file is at the URL and then they have issued you the certificate.
And that certificate is installed onto your server that is hosting podbeat.com, which means that no other server on planet earth can have a padlock and say podbeat.com.
Okay. Okay. Okay. And that certificate has been digitally signed by Let's Encrypt.

[14:07] And Let's Encrypt's certificate is stored in your browser. So your browser knows Let's Encrypt.
Wait, am I still podfeed.com?
Am I still Alison? OK, let's change that.
Alistair, just to really confuse things or not. Actually, let's go with someone who doesn't have an A initial. Sorry, Alistair.
Helma goes to visit podfeed.com.
Helma's browser trusts Let's Encrypt because Let's Encrypt have not broken the rules.
They are still in the good books. So the browser has Let's Encrypt's root certificate.

[14:40] Let's Encrypt signed your certificate. Therefore, your browser trusts your certificate.
Sorry, Helmos browser trusts Podfeet certificate.
OK, right. So it's called the chain of trust. So notice how much work has gone into the simple proof that this website really is the website that says it is.
That is how hard verification is. For it to be a trustworthy thing where every link in the chain is strong.
What's the claim? Clearly defined. How is it proven? Clearly defined. Who's doing the work? Clearly defined and audited. How is it shared? The cryptography? Clearly defined.
So each of the four steps is really clearly defined and auditable and checkable and so everyone can trust it. Therefore, billions of dollars can flow across that system every year.
That is what it takes to make the internet work. That is verification. So it's exactly the same on Twitter and Mastodon, right? That is the gold standard if they could approach.
But no. All right. So let's ask the same questions. Let's take, let's jump in a time machine, way back machine.
We are now back in last February, say.
Or frankly, anytime before the summer. So there was a thing where you could get a blue checkmark on Twitter.
So what was the claim that Blue Checkmark made?

[16:06] The claim was that the human being or organization, the account claimed to be really was controlling the account.
So if the account was say, POTUS, President United, sorry, I'm trying to avoid politics. If the account was Neil deGrasse Tyson, I'm sure you had a good take.
If the account was Neil deGrasse Tyson and that Twitter account really was the human being Neil deGrasse Tyson.
And that was the claim. The verification was, trust us. Twitter basically said, we have done the work to figure out that this guy really is Neil deGrasse Tyson. Trust us.
Now, there was no reason not to, so we were fine with that. How they did the work? BlackBot. We don't know.
They didn't tell us. But they did. And there seemed to be something to it. There seemed to be some sort of process. Not everybody who should have gotten it got it.

[17:02] And not everybody who got it maybe should have gotten it, but it appeared that the people who got it and the organizations that got it actually were who they said they were.
I never heard anything about people who weren't those people getting it.
Correct. Exactly. That's it. That's it perfectly described. Every blue tick was correct, but the logic between who got them was, I never did understand, but it was correct, right?
But it was a status symbol more than anything else.
Kind of was to be honest, yeah, because they were so rare. And then the method of communication is simply because Twitter owned the full platform, they could communicate it by simply putting an icon next to the name.

[17:43] Right? Because they control all of the bits and bobs. So the only thing they had to do to attest to it was to put the icon on the account. So that's all four parts ticked off.

[17:52] Now,
I was looking for a trustworthy that actually work quite well and we had no reason to like you said there's never been a case that someone got the blue tick mark you shouldn't have that were aware of. So.

[18:05] The meaning of the assertion is what changed when you want to start it to me i don't know what it is today or what it will be tomorrow the point is the claim has become a moving target. So already our chain is pretty weak because what does it mean to have the tick?
Well, for a while, it just meant you gave eight dollars.
It's not actually an assertion of anything of any importance whatsoever. This is a person with eight dollars. That's the total sum of the claim that was made by the blue tick mark for a while.
And that was proven by people paying eight dollars and becoming shown with a blue tick as somebody they weren't.
I tried to ask Elon Musk and there were so many fake Elon Musk with blue ticks, I never did succeed. Hilarity ensued is what I would say.
Yes, that is the perfect phrase. Depending on your perspective. Yeah.
So what was the evidence being asked for? Well, there wasn't any. What was the checks being done? There weren't any. What was the method of communication? Yeah, they put up a blue tape.
No, the checks were being done. Checks for eight dollars. And checks with the other spelling too.
Right. So it pretty much fell apart.
So everyone's going over to Mastodon And people want their given how much talk has been about blue tick marks, people want their master on equivalent to the blue tick mark.

[19:22] Well, is there an exact analog before you jump into that style? Before you jump into that, I don't feel like we put a complete bow on Twitter yet.
I think you said a little bit of it, but we just don't know what the current system is. There is a system now, though.

[19:39] Well, is it launched yet or is it announced? I thought it was announced. How would I search for that? The announcement was going to be an announcement and then there was an announcement.
But has it actually got into production? I haven't been harangued in my Twitter client to hand over $8.
Okay. I'm sure I'll be advertised that. Eligibility.
There is a site, help.twitter.com slash verify. Oh, Twitter verified accounts. You have to be subscribed to Twitter Blue, so you have to pay your $8.
You have to be in active use, non-deceptive, loss of the account, the whims of people. Yeah, I don't know whether it's...
Coming or going. Yeah, I don't know what it is, but I don't know that it doesn't exist. So it may or may not exist by the time people hear this.
Yeah, that's why I went for influx in the show notes is my wording.
Okay, so if you see a blue check mark in Twitter...

[20:44] Check your calendar. I just made a shrug to the camera. If you couldn't hear that.
I don't know how best to articulate that. My feelings are nice. Okay.
Okay. All right. So now moving to Mastodon. So moving to Mastodon, the question is obviously, well, what's the equivalent of this blue tick that's caused all this kerfuffle, right? We're all moving to this alternative. So what happens are blue ticks.
Well, Mastodon is very, very different in its whole conception to Twitter. Twitter is one website operated by one company who have complete authority over it.
So the concept of verification is very obvious. There is a central authority. Twitter is the central authority of Twitter.
Well, Mastodon being a federated system, there is no obvious central point of authority to take on the role of being a verifier.

[21:38] So that's not what Mastodon does. However, there are actually, depending on how you choose to count, there are, there's,
one official type of verification, there's a second piggybacked type of authentication and there's a third emerging pseudo kind of verification.
So it's actually three different types of verification that I think are worth discussing.
We'll start with, we'll stay on the straight and narrow.
So if you read Twitter's documentation and you look for the section of verification, Twitter's documentation will describe the simplest and easiest to do form of verification.
So are you, they do not hang on Bart, are you meaning to say Twitter?

[22:22] Nope. I'm meaning to say Mastodon. Okay. So start that sentence over. Okay.
Sorry about that. I thought we switched gears again and I was like, I don't follow. Okay. So there's no central authority at Mastodon, but it's federated and, and therefore there's There's no one to give you a blue tick that says you are you.
But we have something else. The official documentation for Mastodon, if you read it, tells you that you can verify the links in your profile.
So you get to have four links in your profile, or zero to four, depending on how many you want to fill in.
And they can turn green when they have been verified. So what is the claim there?
The claim is that the person who controls this Mastodon account is the same person who controls that website.

[23:12] So it is a linkage between the Mastodon account and the website. So the level of trust you have in that linkage is down to how believable the website is.
So if there's someone claiming to be a journalist for the New York Times and their link in their mastodon profile is to their author page on the New York Times website and it's turned green, that is a really meaningful verified link.
So what it does say is that at this moment in time,
You have control over the content on that URL. Yes, that is the exact claim.
Doesn't say that, I mean, because I could get hacked and you could have gotten into pod feed.com and claimed you're in charge of pod feed.com. In fact, you have the ability to change pod feed.com and say it's yours. Yes, I'm an administrator. You're that is entirely correct. Yes, I have.
Because when you go on holidays and Alistair could too, we could all become you.

[24:08] I do have some questions about that, but let's keep going. Right, so the level of... so the actual claim is simply that this website is this
MasterDawn account, so this website is actually really important because it's kind of up to you to decide if you think that is actually a meaningful
verification, right? Okay, this MasterDawn account is really connected to that website. Do I care? So like I say, if that is a link to an author page on a major
publication, that's very meaningful. If that's a link to a profile page on a government website saying this is the Minister for Finance, that's very meaningful. If it's a random blog by Mr. Interesting Person, well, okay, it's the same interesting person, but it hasn't told you that much information. So bear in mind that all you're getting is,
a connection between the URL and the Mastodon account.
Right. But if the person who's trying to get verified is verifying that they are this interesting person with this interesting blog, it doesn't matter whether they're CNN or the White House. It just matters that they're who they say they are.
Correct. But the thing is, if someone says to you that their Mastodon account is verified as them, you have to say no.
The only thing verified is the link.

[25:21] Right? Mastodon does not claim to verify the person. Oh, right. Twitter verified the person. So it's different. I'm underlining the difference.
Got you. Got you. Got you. So if you were to verify that podfeed.com is yours, it doesn't say that you're Bart Bouchat. that you have current control over podfee.com. Says nothing about you being Bart or Allison.
Exactly, exactly. Whereas the old style Twitter verification verify the human being.
Nothing on master on verify the human being okay. So that is the official answer really easy to do because it's actually very simple claim to make right you just connecting two things together.
So in order for you to provide evidence for this claim all you have to do is put a link on to the URL you're saying is yours that links back to your master on account and that follows two very simple rules.
The URL has to be HTTPS.

[26:13] Which means you're actually piggybacking on all of that wonderful crypto and stuff that we've talked about earlier, right? So actually, it's kind of nice that you're piggybacking off the whole HTTPS system.
That actually means that that website has a little bit of stuff going for it. It is real, right? They can't, you can't basically manipulate things by taking over a website that isn't secured, right?
It would be much easier to do a man in the middle attack or whatever to fake the verification if it wasn't HTTPS. So that's just good.
Very simple thing to do, say must be HTTPS. It's actually very clever of them to do that.
And what surprised the open source community came up with that. And then the only other rule is that the page at the other end of the URL has to contain either a visible or an invisible link back to the Mastodon profile with an rel attribute.
A rel stands for relationship.
And the value of the relationship is me. So rel equals me.
So the relationship between the owner of this website and the destination of this link is that they are both me.
In other words, I am claiming my master on account.
Is this the code on your website? Yeah.

[27:22] So here's, here's a question. Um, Steve writes for pod V.com. Can I have two rel equals me one for Steve and one for me on my website?
Yeah, absolutely. Absolutely. because it's not saying is this the only rally equals me, it's just checking is there one.

[27:46] Okay, we're having some some lag on the internet here, so I'm not quite sure what you just said. Say that again.
Yeah, so it's not a one to one mapping, right? The question is just, is there is there a relationship between this website and this mastodon account? One website can be related to multiple mastodon accounts. One mastodon account can be related to multiple websites, so you can have multiple links on the page that says rel equals me to Steve's account, rel equals me to your account.
Well, it was me to my account if you want to let me claim ownership of something, right? It doesn't matter as long as there is one to that account, it's happy.
That would also suggest you could have several URLs. So you could have Bart, B, whatever it is, BartB.ie and let's-talk.ie. You could have them both verified as you.
I could because your Mastodon profile has up to four. So you could have up to four tick marks.
Yeah. So in the show notes, you said that it has to be in the, an A tag in the page's body or an invisible link in the page's head.
That's not correct. You could do it in the footer, which is where I was actually instructed to do it.
So not just the head. Okay, footer. Right.

[28:58] The link tag belongs in the head to be a valid piece of HTML. So link rel equals belongs in the head.
It may, it may work for master on validation, but it's invalid HTML.
And an a tag has to go somewhere inside the body.

[29:11] A footer is in the body of your web page.

[29:16] So I put the URL they told me to put in. I put it in the footer and it works. Okay, but the footer is in the body.
The footer is in the body. Is it visible on the page?
Okay, you said it had to be in the head. Okay, because it's visible, it has to be in the body and the footer is part of the body.
Yeah, everything that... So your web page at its lowest level has a bunch of headers that are invisible and the content head and body.
Your content contains a head err, a page body and a foot err, but they're all in the body tie.
Right. If you view source, everything is in the body.
Okay. So if I was to be creating a, an HTML page by hand, I would know that I would have, would not have asked that question.
The way I work in WordPress, I have a theme and the theme has a nice little GUI and it says where do you want to put this? And I push a button that said footer. So when I saw head, I was like it wasn't in the header, it was in the footer. Now I see what you're saying. Okay.
So to put a link in the body, where in the body would you put it?

[30:22] Work.
Well, anywhere is not an answer in today's blog post. Yeah. As long as when you go to the URL and you do a control F on the page, you find it, then it is there.
Wait a minute. The link is invisible. I wouldn't find it.
The invisible link goes in the head section. So that is in the source code. So if you do a view source, you'll see it, you know, heads, title, all that stuff will be in the head.
Okay. So I'd have to find it. Okay. Okay. So mine is visible at the bottom of my web page and I just wrote it, follow me on mastodon is what the link goes to.
Yeah, because it can be any text right between the opening and closing link tag can be any text. That's not part of the spec. All it says is that the URL has to be the mastodon profile and it has to say rel equals me. Okay.
Actually very good to mess around with it. Okay. So with all that faffing about explaining that what we have said is that that putting this text on your website verifies that you have control over that website.

[31:25] Yeah, and it connects together the website and the Mastodon account and that's it. That's all there is to it because the claim is so simple.
So whether you run your own website or not, if you're just looking and you see somebody says they own BartB.me, that just says they have control of BartB.me.
It doesn't say they're Bart.
Correct. I wonder if that site exists. I may now have to go register that. The other thing, I did some testing because my website redirects, so if you go to bartb.ie you get redirected to bartbushes.ie.
So I added two links to my profile, one to the final resting URL where you end up after all the redirects and one to bartb.ie and they both turned green.
So verification will follow redirect.

[32:06] Which is nice to know. Because a lot of people have a shorter nice URL that then redirects them to a longer URL. So that's good to know that works. You can really make a lot of fun of the way I name my website, but it's only seven characters. So... Yes. Yes.

[32:21] One annoying caveat is that validation happens when the server feels like it. So your instance is running a cron job every n minutes.
That it does whatever background work it has to do. Or one of those background tasks is do all the verifications that are outstanding. So it will happen when your instance feels like doing it.
And so you'll hit save and nothing will turn green and you'll think you've done it wrong.
Walk away. Just go away, do something else and come back in some vague amount of time and it will have turned green. Or it won't, in which case you'll have to try again.
So it took me three days to get mine working and I'm not entirely sure what did it in the end because, well, I don't know how long I was supposed to wait. Maybe I had it right all along.
Maybe there was never a problem. I don't know. Did you fiddle with it?
It. Of course I fiddle with it because these show notes were coming up and I wasn't working yet and I was fiddling. I actually put it in two places, so I'm not sure whether it's working. I don't know which one fixed it. I have it in the head and in the body. It's,
like, well, what the heck? I have one. Oh, where is it? Oh, I created a, a button that says, uh, follow me on Mastodon on podfee.com. I think if I remember correctly, this was a few weeks ago now. I went to look on your website to see how, see if I was doing something I was like, well, Alison's works, Alison's is green.
How did she do it?
So I don't know whether that one's actually functioning. I think that one probably isn't.
It was a little bit weird. But if you look at the very bottom, it says follow me on Mastodon. And that is the that is actually the rel equals me for that one.

[33:49] Yeah, because the other one has a rel equals quote equals rel me or something. There's something a little weird going on.
Yeah, it was part of a little box I'm stuck in in my theme and stuff. So I was just kind of flailing around going, well, I'll throw it in there. And then later on I thought, well, I'm not sure that's gonna work. So let me put it in the footer. So I don't know why it works, but I have me a blue check mark.
And it just has to be one of the links has to be correct. So blue checkmark, you know, you have green checkmark, not a blue one. Green, sorry, green.

[34:19] Happier color. So that is the official type of verification. Connect your Macedon profile to your website.
Some very clever and very nerdy people realize that if a URL can be verified, then with a little bit of writing up a spec, you can verify a cryptographic public key.

[34:39] Because what you do is use a service called key oxide to link your public key to a URL. And then you connect that URL to your profile and there your public key is connected to your profile.
Okay. 100% lost you. No idea what you're talking about. Start over. Imagine you're a person who wants to do encryption using public key cryptography.
You might be a journalist who is hoping someone will leak them some sensitive data. So you need to publish your public key to anyone who wants to send you information completely secretly that can encrypt with your public key.
And the only person on planet earth you can decrypt that is the person with your private key.

[35:19] Now, if I'm a leaker and I want to send you information, I need to have some confidence that I'm using the right public key because if the FBI snuck me their public key instead of your public key, I would be in deep doo doo.
So by being able to link the public key to the Mastodon account, I now know that I really am talking to that Mastodon user when I use that public key to encrypt.
Okay, so how do you do that? Now I understand the reason to do it. So there's a web service that's open source called Key Oxide, and they provide a way of publishing your public key at a URL that will also include a Mastodon link in the URL.
So it's a webpage that has two pieces of information.
The public key and the Mastodon URL. So it will turn green when linked in Mastodon. and it will contain the public key.

[36:12] I feel like I'm just being real slow Bart. I didn't follow that.
Okay. Keyoxide magically says these two things get to go together, but how do they, how do they verify that? Okay. You as the person who wants to publish your key set up a key oxide account and you on your key oxide profile publish two pieces of information.
Your mastodon URL and your public key.

[36:35] Okay. Okay. Now, that mastodon URL. Why can't I take my mastodon URL and your public key?
Because your public key is publicly available, so I can take BARTs and attach it to my mastodon URL.
Okay, what could a public key be if you don't have the matching private key?
It isn't, but I could do it. Absolutely you could. But I don't see what key oxide is doing then, if there's no verification.
But there's no way to put your public key on your mastodon profile without some website in between.

[37:10] The problem to be solved is to get your public key onto your mastodon account. This is a website to help you do that using Mastodon's ability to verify your URL.

[37:21] But I thought I needed control of that website and I don't have control of key oxide. You have control of your profile page on key oxide.
Okay, so it's a profile page. So you will set yourself up on key oxide with a profile that has a URL that's just for you, that has two pieces of information. You're mastered on URL with a rel="me", and your public key.
You then take that URL for key oxide forward slash pod fee. Okay.
And you put that into your Mastodon account as one of your four links. It will turn green. Okay. Because it's going to go to key oxide, to the URL I gave it, and it's going to find the rel equals me.
Yes. Therefore, when someone goes to your Mastodon page, they're going to see one of your links is going to say GPG. It's going to be green.
And it's going to be a link where they click on it and they get your public key. So that is now connected, those two pieces of information together using verification.
So again, it's, you know, it's not something most of us have to do, but if you're interested in sharing public keys, it's really nice to be able to connect your public key to your Macedon account.
Is that something you're going to do?
I don't know, because I don't, I believe the concept of GPG is nuts. I believe in the public key infrastructure. If I need a certificate, I will buy a certificate from a certificate authority.

[38:46] So I'll use S MIME, not GPG. But I am not a journalist.
OK, so you just say this does exist. OK, all right. And people are very passionate about it.
OK. The other thing, then, which I think is really cool is a side effect of Mastodon's federated nature.
So, your username on Mastodon is at something at some where.
The at some where is a domain name. Right?
So, if you are, say, the White House, you could run a Macedon server at potus at whitehouse.gov.

[39:25] So at Whitehouse.gov could be the server or the instance. Sorry, I keep on saying server. I mean instance.

[39:32] But that actually means that only the Whitehouse could have set that up. So if the Whitehouse say and only people who work here get accounts here, then anyone's username that ends in at Whitehouse.gov must actually be at the Whitehouse.
So I'm glad you picked the Whitehouse as a, as an example, because there is an account. If you search for the White House on Mastodon, you will find one called the White House.
It has a big green check mark, and it's pointing to at White House at mastodon.cloud.
So that's not at White House.gov, therefore not actually. Well, but, but...
Ah, let me just tell you what's on it. It's a banner photo of a different president.
Of course it is. So this is definitely not the White House. But that check mark tells me that whoever created this account owned a domain that they said was theirs.
But just looking at it up front, it doesn't tell you what domain that was. Well, it does because the link goes somewhere. So where does it go?
That's why I just said, just looking at this green check mark, it does not say anything about where it goes. You have to go into it.

[40:49] I'm not even sure how to go into it. Yeah, no, I don't see. Or do they even have a green link or do they have they just put an emoji of a check mark? They might have put an emoji in.
Yeah, that's probably what, that is what it is. You're right, that's an emoji. So.

[41:05] There is an example of, cause the actual signal is when you go to the profile, the links turn green.
It's not at the end of your username, it's the links in your profile. So if I click on your icon, I get to see your profile, and your profile has a link to podfeed.com when the link to podfeed.com is green.

[41:24] If you go to my profile, you should see two links that are both green and my GitHub link that isn't green yet. I haven't figured that out yet.

[41:32] Oh, that's interesting. You can do your. I can do it for you. Yeah, except for the fact that GitHub strip out the rel.

[41:41] So I need to do a little more figuring out there. OK, OK. Okay. I'm really curious here because the client I'm using doesn't even, doesn't appear
to let me go in and see the, the, actually, let me look for you. Sorry for doing this real time, but I'm really curious why I'm not able to, I'm not even looking. What are you on Twitter again?
At Bebooshot? Bebooshot at Mr. Novels. Well, trust me with your spelling, there's not two of you. We don't have to worry about Okay. Okay. So when I go into yours, that's the difference. So when I go into yours, I see the,
I see website homepage and GitHub and I see green check marks and green URLs for your website and your homepage. That fake White House doesn't have any URLs.

[42:31] Yeah. So there, yeah. So again, this came up because a friend of mine said, look, I'm following the White House on Mastodon. I looked over it and I said, no, you're not.
But it wasn't this one. It was a different White House that wasn't the White House. Yeah. So what I'm talking about here is after the second act is the server.
And you can't fake the server, right? No, but the server, they could have White House on mastodon.social. I know.
That would be unlikely of them, but they could. Right. Okay. But that's not what I'm saying. What I'm saying is if the bid after the second ad is something of value, it really is something of value.

[43:14] What are you defining as something of value? I don't know what you mean. If it is a domain name that has a meaning. So the two examples are that the European Parliament,
have a mastodon server at EU, at parliament.eu, or I can't remember the exact URL, but the ad, the, at their actual domain name. Okay.
And the German government have set one up at the actual domain name for the actual German government. You can't fake the bit after the second at.

[43:40] So if it is something that is real, it is real. OK, OK.
That actually is a way of adding real verification. So the European Parliament have said we will not give Macedon accounts to anyone who is not actually with the European Parliament.
So every Macedon handle that ends with at European Parliament, whatever it is, really is someone connected to the European Parliament.
The German government have said, A, We want all officials use the official mastodon and be only authorized people are allowed onto the official mastodon don't don't say official mastodon.
The official German government mastered that instance.

[44:19] Thank you. Instance. Yes. There's not an official Mastodon. Fair, fair, fair. I think an example that people could, everyone here could probably connect to is Federico Vetticci is,
officially moved to Mastodon. Not staggering back and forth, but moved. And his handle is at at Viteche.net.
Now there we go. So you know he's federal. That's an example, yeah.
Yeah. And another example is that Leo Laporte is offering his listeners who subscribe to his membership do do hickey at twist.tv Macedon accounts.
Yeah, he was. And I'm actually a member there and he got too big and he had to stop letting people in. And it was right after, shortly after I had joined his member program.
But I mean, I saved some.
No, I didn't end up asking. It doesn't really matter.
No. Well, it's kind of nice, though, because only people who are actually in his clubhouse can have his can have accounts at twit.tv.
So there is, you know, again, it's an example of it tells you something. Right. Because if you have a Twit TV account, you are actually a listener.
Right. Right. Let me correct myself. It's vatici at macstories.net. I said vatici.net.
Perfect. It's vatici at macstories.net. He doesn't have a green check mark though.

[45:46] But like I say, the actual second domain name, you can only be at that domain name if they let you in. So if that domain name belongs to an organization, then that organization let you in. So it is actually, that second add is very valuable.
So you're saying to create an instance with at macstories.net, You have to own MacStories.net.
It's a DNS name. Yeah, that's how the traffic gets routed to the instance. Okay. Is DNS. genuinely how to own the domain.

[46:16] Cool. It's just like an email address at potfee.com has to be at your mail server.

[46:24] So if you run your own Mastodon instance, it would have to be on your domain and you would have to set the DNS records.
So it really would be you. I am not even vaguely interested, but you know, I could.
Right, right.
You know, if people are doubting whether this is actually going to be a thing on Mastodon, I didn't make any bet that it is really going to be a thing, but a, a journalist,
one of the ones who got banned recently said that when he first got banned, he had 1200 listener readers on mastodon.
And by the time they were interviewing him about it, which is what two, three days later, he has 20,000.
Wow. The other thing I see at Reedy, the other place I see it really taking off is in European governments like Germany, where there's a strong open source ethos at,
government level. So they have a very strong ethos for using open source software for government applications and for things that involve the public.
And so they're very keen to see something that isn't controlled by any specific company take off. So the fact that they've spun up their own Macedon instance means they're really serious about this. And I would say it will become an important communication mechanism for some European government.
Interesting. Yeah, like I said, I wouldn't have I would have bet that this was going to be the thing, but.

[47:45] It may have legs. It may have legs. It's yeah, it's maybe not flying yet, but it's a big elephant. It's tromping through the jungle.
Although if Dumbo was talking to me, I think it could fly one day. There you go.

[48:02] Anyway, so that is that is my it all came out because I wanted to figure out how to make my links turn green and ended up being a big discussion on what it means to be verified in the abstract sense.
I think it's a good conversation to have because I think whenever you see someone claiming, well, I'm a verified blah, blah, blah, I always ask, what's the claim? What's the evidence?
Who did the checking and how am I sure it's really true?

[48:23] Yeah. And I asked Bart before he started this, I said, I don't understand how you're going to make a whole conversation about this for 48 minutes. I said, you know, I copied the link they told me to put at the bottom of my website and I was done. And he said, yeah, well, there's there's a little more to the conversation.
I thought those were really interesting to help us make sure we keep thinking about what that verification means and what's behind it.

[48:49] And it's important all over the place, not just on social media. It's just an idea that I think is important people have in their heads. I did promise you between 45 minutes and an hour. So yes, you did.
Exactly right. Well, I hope you have a great happy holiday and I appreciate you jumping in and giving us one last show before the end of the year.
I was it was literally my absolute pleasure. Today is the first day of my annual leave for the Christmas period. I finished work for the year. I am done. I saved up my annual leave to have it all to take at the end of the year.
For me, 2022 is now purely fun.
So I'm in a complete holiday mood. So I definitely want to wish everyone lots of what is it I said to my colleagues?

[49:28] Joyous, delicious and peaceful holidays. That's what I want everyone to have. Delicious is really important. I stuck that in the middle.
All right. I think there's no better ending. Thanks for coming on Bart. It was my pleasure. And remember, do remember to have lots of happy computing.
Have to end on that.

[49:47] I hope you enjoyed this episode of Chit Chat Across the Pond. Did you notice there weren't any ads in the show? That's because this show is not ad supported, it's supported by you.
If you learned something, or maybe you were just entertained, consider contributing to the Podfeet Podcast. You can do that by going over to podfeet.com and look for the big red button that says support the show.
When you click that button, you're going to find different ways to contribute. If you like to do a one-time donation, you can click the PayPal button. If you want to make a recurring contribution, click the weekly Patreon button.
Or another way to contribute is to record a listener contribution. It's a great way to help the NoCellicastaways learn from you.
If you want to contact me for any reason, you can email me at allison at podfeed.com and you can follow me on Twitter at podfeed.
Maybe you want to talk to other NoCellicastaways. You can do that in our Slack group at podfee.com slash slack.

[50:42] Music.