Add 'rel=me' for Mastodon Bridge Automatic Verification

[hollowaykeanho]

For bridging from Mastodon, please add rel=me relationship to the fediverse anchor for complying with Mastodon verification tick requirement shown below:

Specifically, this:

The URL and rendering are all fine. It's just short of rel=me relationship. I would recommend using a case condition because not all social network use the same method for account verification so you guys can uniquely support each vendor.

[snarfed]

Hi! Here are instructions for setting up rel=me for web sites bridged into the fediverse: https://fed.brid.gy/docs#mastodon-link-verification

For fediverse accounts, I'm curious to hear how adding rel=me to Bridgy Fed's user pages like you describe would be useful. They're not your own web site, or under your control, or another profile of yours on a separate network, they're just a third party tool with another view of your same Mastodon profile, right?

[hollowaykeanho]

Hi! Here are instructions for setting up rel=me for web sites bridged into the fediverse: https://fed.brid.gy/docs#mastodon-link-verification

My profile is bridged directly from the Mastodon account so this is not applicable. The one described here is only for web bridging.

For fediverse accounts, I'm curious to hear how adding rel=me to Bridgy Fed's user pages like you describe would be useful. They're not your own web site, or under your control, or another profile of yours on a separate network, they're just a third party tool with another view of your same Mastodon profile, right?

For Mastodon, I believe they're using 2-ways chain of trust method. As long as the third-party service provider points back to the correct profile in a 2-way linking, it should be fine. GitHub Profile is using the same method (see my profile with verified GitHub profile: https://mastodon.online/@hollowaykeanho).

Your bridged account can only be created by using my Mastodon account following the fed bridge account. So it's safe to do so. Moreover, I don't believe your team and you plans to be "man in the middle" attack between the owner and bridged account so you can safely honor the 2-way linking verification.

Things will only go wrong if you offer an alternative registration method + direct posting to the bridged account (e.g. manual sign up form). In that case, the owner of the bridged account must have manual control over the Mastodon URL linking.

GitHub is the best reference for your business case (same 3rd-party role & same use cases).

---

This "chain of trust" mechanism was a method to counter impersonation/bot purposes which I believe Mastodon team sorted it out by analyzing Twitter before time. As long as I'm still in control of the origin Mastodon account, regardless elsewhere trying to place the rel="me" relationship, I'm the one publish the link on my profile (control is still with me).

Although at my level I would prefer cryptographic signature (e.g. GPG) for authenticity but that would be an overkill for social media public posting.

[snarfed]

Right. I'm familiar with rel=me, it originated and developed in the microformats and IndieWeb communities, and I've been participating in both for decades now. My point is that I'm not convinced it makes sense to put rel=me on the links on https://fed.brid.gy/ap/@hollowaykeanho@mastodon.online .

As an example, you have a number of different profiles online: https://www.hollowaykeanho.com/ , https://github.com/hollowaykeanho , https://mastodon.online/@hollowaykeanho , https://bsky.app/profile/hollowaykeanho.com . Each one is a separate account, in one form or another, and they all represent you, and are under your control, so it makes sense that they should link to each other with rel=me.

https://fed.brid.gy/ap/@hollowaykeanho@mastodon.online , on the other hand, isn't a separate account, nor is it directly under your control in the same way. It's a view of your Mastodon account. If you added that URL to your profile, and we verified it with rel=me, it would only demonstrate that you're the same Mastodon account, nothing more.

[hollowaykeanho]

https://fed.brid.gy/ap/@hollowaykeanho@mastodon.online , on the other hand, isn't a separate account, nor is it directly under your control in the same way. It's a view of your Mastodon account. If you added that URL to your profile, and we verified it with rel=me, it would only demonstrate that you're the same Mastodon account.

Oh, that's different thing. This mechanism is meant for relationship validation, not origin source validation. The latter has a lot of underlying cryptographic verification that are usually published on the website independent of any network (origin can only be from me) which is outside of the context in the case. For those I usually publish with a GPG detached signature & PDF.

So relationship wise, that bridge page (https://fed.brid.gy/ap/@hollowaykeanho@mastodon.online) that you provided is really representing me; I signed up your bridge service means I already vetted you as my trustee so you can safely honor it even-though the source code is in your control. Afterall, you're my trustee. This is the same case as GitHub although they provide more control compared to yours. I obviously don't control GitHub's source code either.

I mean, there isn't any reason to dishonor your relational service on my profile as shown below?

[snarfed]

We may need to agree to disagree here. I definitely understand that you'd like a green check on the fed.brid.gy link on your profile! I just don't really think that link belongs there. If you want to link to your bridged account on Bluesky, https://bsky.app/profile/hollowaykeanho.mastodon.online.ap.brid.gy , feel free to! That link is much more useful for people viewing your profile.

[snarfed]

(Also, rel=me doesn't just represent a relationship with a linked profile, it represents that you are that linked profile. Specifically, the microformats community recommends bidirectional rel=me verification, ie checking that both sites link to each other with rel=me. For cryptographic proof, you can require https and check the TLS cert and connection on both links. That's equivalent to a GPG signature, with the added benefit that it's simpler and part of the HTTP fetches you're already doing, not a separate, out of band process.)

[hollowaykeanho]

Same case with direct BlueSky. Basically, there isn't a way to place the relationship.

rel=me doesn't just represent a relationship with a linked profile, it represents that you are that linked profile.

Be very careful what you're about to reply here because if you do not honor what you stated, you're admitting identity impersonation for all the bridged users. This is includes user outside of Mastodon (but first detected by Mastodon).

There isn't any reason not to establish a 2 ways relationship with the linked profile with the origin profile. Period. It did fulfill Microdata's requirements. You're confused with source origin validation which is out of context here.

For cryptographic proof, you can require https and check the TLS cert and connection on both links. That's equivalent to a GPG signature, with the added benefit that it's simpler and part of the HTTP fetches you're already doing, not a separate, out of band process.

No. TLS cert cannot represent origin of authorship (e.g. placing a load balancer CloudFlare in front of the site with alter the TLS to CloudFlare itself). As I said, source origin is outside of this context. Let's not head there again.

---

Also, your bridge service, AFAIK, wasn't it for all ferdiverse? or is it just Bluesky and Mastodon? If the former, then the provided bridge page makes more sense (combinations of social networks are too many).

[snarfed]

Be very careful what you're about to reply here because if you do not honor what you stated, you're admitting identity impersonation for all the bridged users. This is includes user outside of Mastodon (but first detected by Mastodon).

I may not fully understand what you mean here, but if you think you see a security vulnerability in Bridgy Fed, please do report it! I take all reports seriously. https://fed.brid.gy/docs#vulnerability

TLS cert cannot represent origin of authorship

Ah, sure, I see what you mean. Agreed! And in practice, the way it's usually used, neither can GPG. I loved key signing parties and web of trust in the '90s, my public key has some great signatures, but realistically, if someone's going to verify a GPG signature you generated, they're going to get your public key from your web site, or an email, or something similar. Which inevitably used DNS and TLS.

PKI is hard.

Also, your bridge service, AFAIK, wasn't it for all ferdiverse?

Yup! Right now web, ActivityPub (both Mastodon and others), and Bluesky. Hopefully more soon.

[hollowaykeanho]

I may not fully understand what you mean here, but if you think you see a security vulnerability in Bridgy Fed, please do report it! I take all reports seriously. https://fed.brid.gy/docs#vulnerability

Ahhh... let me try to frame the message with Q&A:

1. Do you agree that the linked profile shall represent the origin profile in terms of socially (not coding) verbatim? YES/NO
2. Do you planned to do some alteration to the linked profile aside the porting efforts from the origin profile like ad-post injection in the future for cost recuperation? YES/NO

If (1) is YES AND (2) is NO, then the linked profile and the origin profile are representing each other so you can safely set rel="me" as specified by the Microdata (both linked profile and origin profile are socially me).

If (1) is NO OR (2) is YES, you need to specify it in the docs why they're not the same so that people is aware of what is your exact offering before perform the bridge work.

Matching the microdata specification, My Mastodon is recognizing your fed profile; right now yours do not honor back. You do not have to worry about misinformation/misrepresentation by adding rel="me" because I'm still the authority for recognizing it back. It's 2 way, remember?

Breach of trust is beyond code security. This is a public issue. Hence, tread carefully.

PKI is hard.

Haha. Fortunately for you, this is not the case and I'm not requesting one. The Microdata spec does not represent this as well. Now that we're aligned, let's leave it out. =)

Yup! Right now web, ActivityPub (both Mastodon and others), and Bluesky. Hopefully more soon.

Then you're on the right track. That Fed profile will later become something like a linktree so honoring the fed profile page makes a lot more sense. Imagine somewhere in the future there are 30+ bridged network --> that will be insane to manage.

[hollowaykeanho]

Nevermind. I will close the case now since I'm no longer performing the bridge. Please focus on other important matters.

Thanks.

[snarfed]

Sorry to hear you're not using the bridge any more.

Be very careful what you're about to reply here... ... Breach of trust is beyond code security. This is a public issue. Hence, tread carefully.

When you're asking an open source maintainer to do something for you, threats like these don't help. Maybe skip them next time.

1. Do you agree that the linked profile shall represent the origin profile in terms of socially (not coding) verbatim?

If "linked profile" means eg https://bsky.app/profile/hollowaykeanho.mastodon.online.ap.brid.gy , then yes. If it means https://fed.brid.gy/ap/@hollowaykeanho@mastodon.online , then no.

2. Do you planned to do some alteration to the linked profile aside the porting efforts from the origin profile like ad-post injection in the future for cost recuperation?

No.

I'm not exactly sure where that leaves us. You're obviously welcome to put any link you want on your Mastodon profile, even if it doesn't make sense to me. And I may not be convinced that rel=me belongs on the Bridgy Fed user pages, but it's pretty harmless, so I guess I don't mind adding it. I'll go ahead and do that.