Vouching for webmentions; hashing for vouches

As mentioned yesterday I’ve enabled webmentions on this site. Now, webmentions could have the same spam problem that Pingback has, and so one of the proposed solutions is Vouch, where when you send a webmention you also include with it a “vouch URL”. That URL is a page which (a) links to you, and (b) is trusted by the person you’re linking to. That way, the receiver can say: OK, I don’t know this person who’s linking to me, but I do know this other person, and she knows the first person, so I reckon they’re probably OK. You can see an example of this on Aaron Parecki’s “replies” site; one of the comments says “(vouched for by waterpigs.co.uk)”.

Put your hand up if you can see a problem with this approach.

I think there are two problems; neither are insurmountable, but both are problems. The first is: how do you find a person who will vouch for you and whom the recipient trusts? I think of this like, say, the problem of you, gentle reader, finding out what my mobile phone number is. If you’re reading this, then we’re probably vaguely connected; we both work on the web, or on Ubuntu, or both like Portishead, or something; we probably have some friends in common; there are lots of people out there who know my mobile number; therefore, if you really wanted my number, you could play the “six degrees of Kevin BaconStuart Langridge” game and find someone who knows that number and trusts you enough to give it over. But it’s a really annoying task, because you don’t know who to ask; all you can do is basically ping friends at random. In particular, if there is actually nobody you know who knows my phone number, then you can’t tell that; all you can do is keep asking people and you’ll never know whether you haven’t found anyone because you haven’t looked hard enough, or because we’re not good enough friends and so there’s nobody out there to find. You could look for an unlimited time.

I do not like things that could make me work for an unlimited amount of time.

Second issue: the clique problem. If you only accept vouches from people you trust, then there’s no easy way to get trusted. It makes it much, much harder for an outsider with something to say to get themselves heard. Now, some people like that: they want discussions to be among known people only, and that’s fine. But I don’t really like the idea of institutionalising that by baking it into the core protocol.

Since Vouch exists in large part to avoid spam, I thought: hey, what if we build a thing which will vouch for you if you prove you’re not a spammer?1 And then people will hopefully learn over time that being thus vouched for is valid, and then everyone wins. If you know someone who will vouch for you, then use them to do so; if you don’t, prove you’re not a spammer and have the service vouch for you. If you receive a vouched for webmention from someone you trust, great; if you receive one vouched for by the service, then satisfy yourself that the service works and then you can give it some limited degree of trust. So it’s not necessary to use this sort of service, but it can help to make a bridge from one “circle of trust” to another, or to help someone get involved in the conversation even if they’re new to the group. We had a really interesting discussion about all this on the #indiewebcamp IRC channel yesterday.

So I built Hash for Vouch. A simple service: you do a little bit of computational work (a hashcash-style algorithm), and the service verifies that you did the work and then puts up a page which vouches for you, which you can send along with your webmention. There’s an API so you can do the work and then prove it to get a vouch URL programmatically, or you can use the form on the front page to do that work in your browser and get a vouch URL that way. Spammers can’t do the work because it makes spam uneconomical if each one takes five seconds to send. And anyone real can join the conversation.

I’m now sending webmentions which are vouched for by Hash for Vouch when I link to URLs on this site. Feel free to do the same!

  1. Actually, I didn’t quite think of this. I thought: why not prove you’re not a spammer directly? And Michiel de Jong thought of the idea of proving it to a service which then vouches for you, which is super clever because it piggybacks on the existing Vouch network, it allows people to trust “autovouched” mentions differently from “personally vouched” mentions, and it doesn’t require everyone with an endpoint to update it.

More in the discussion (powered by webmentions)

  • Daniel Newns responded at Daniel... (twitter.com) retweeted this.
  • Daniel Newns responded at twitter.com @sil love the styling ;)
  • Stuart Langridge responded at twitter.com @dnewns I don't know why designers go on so much about how hard their job is, it's easy :)
  • Gary Fleming responded at Gary... (twitter.com) retweeted this.
  • James Westby responded at twitter.com @sil what stops me, as a spammer, getting vouched in 5s then using that to send a million spam?
  • Kyle Mahan responded at Kyle Mahan... (twitter.com) favorited this.
  • Stuart Langridge responded at twitter.com @jdwestby the page that is being vouched for won't contain links to each of the things you're spamming. Now, it *could*, but that's harder
  • Paul Freeman responded at Paul... (twitter.com) favorited this.
  • Giovanni P responded at http://www.k... (questo.email) Just to clarify things on my mind: why not other anti-spam things, like CAPTCHA-for-Vouch?