Home 零对冲(ZeroHedge)每日HackerNews

我关于ATProto密钥管理方面的判断是正确的。
I was right about ATProto key management

原始链接: https://notes.nora.codes/atproto-again/

作者尝试使用个人数据服务器 (PDS) 和 `did:web` 身份创建完全去中心化的 Bluesky 账户,旨在避免依赖 Bluesky 公司的基础设施。尽管使用 NixOS 简化了 PDS 设置,但整个过程非常复杂且文档匮乏。 过程中出现诸多障碍,包括过时的教程、缺失的文档步骤,以及根据 ATProto Discord 的建议进行账户创建和删除的令人沮丧的循环。最终,作者的 `did:web` 被“烧毁”——列入黑名单——原因是删除了一个新创建的、未使用的账户,导致无法访问网络。 这次经历强化了作者之前对 ATProto 密钥管理的批评,认为它对用户来说过于困难,并且依赖于中心化控制,尽管其目标是去中心化。“烧毁”机制由 Bluesky 控制,这表明了一个关键的中心化点,阻碍了预期的用户自由。作者认为,虽然 Bluesky 在理论上是去中心化的,但目前实际上无法在没有中心化机构干预的情况下使用。

## Bluesky & ATProto:密钥管理与去中心化问题 一篇近期帖子指出对ATProto密钥管理的不满,特别是之前“销毁”的身份因域名变更后被恢复,却仍然触发永久封禁的问题。作者认为这破坏了预期的去中心化,因为Bluesky中心化的“销毁”机制可以有效地将用户切断与网络的连接。 讨论的中心在于去中心化与易用性之间的权衡。一些人提倡完全点对点系统,承认其规模化方面的挑战,而另一些人则指出Bluesky架构的实用优势,允许用户自主托管数据和选择客户端。人们对ActivityPub的局限性表示担忧,例如账户迁移问题和缺乏全局搜索功能。 许多评论者认为Bluesky正在优先构建一个功能性平台,*然后再*实现完全去中心化,并且当前的中心化是暂时的必要性。然而,人们对Bluesky一旦建立起来是否真的会放弃控制仍然持怀疑态度。这场争论凸显了在理想的去中心化原则与实际实施和用户体验之间取得平衡的难度。
相关文章
原文
I Was Right About ATProto Key Management - nora's notes
I Was Right About ATProto Key Management

So, a while ago, I wrote a post called “Key Management, ATProto, and Decentralization” in which I complained about ATProto’s approach to decentralization. Since then, Blacksky has spun up an AppView, which makes it theoretically possible to have an actually decentralized experience on Bluesky. This was my line in the sand, stated many times; I would make an account when and only when it was possible to do so without using anything running on Bluesky-the-company’s hardware.

So, today, I tried that. Let’s walk through the process:

  1. Set up the PDS software on a server I control. Because I use NixOS, this was basically trivial.

  2. Create a did:web. This means creating a public-private keypair; I initially tried following this tutorial from Mai Lapyst, but it’s very out of date, and doesn’t include a critical step, as we’ll see.

  3. With that did:web, upload the did.json document to my webserver and set the appropriate DNS entries. Easy enough, except that I also had to set the CORS header for the did.json.

  4. Create an account on my shiny new PDS. I was able to get an invite and create an account, but it was in the “deactivated” status, and I couldn’t activate it. It was very frustrating, because I was making requests manually with curl and reading the error outcomes in the PDS’s logs on my server.

    Oh, and by the way, none of this is documented. Sure, the individual endpoints are - kind of - but the only place the whole process is collected in one place is in the comments to this GitHub issue… which is closed as WONTFIX.

  5. Seek help in the ATProto Touchers Discord server, and at their advice delete the account (foreshadowing!).

  6. Start over and re-create everything from scratch, finally noticing the comment line in the comment on the closed GitHub issue telling me to replace the public key in my DID with the public key from getRecommendedDidCredentials.

    The documentation for that endpoint, by the way, reads in full:

    Describe the credentials that should be included in the DID doc of an account that is migrating to this service.

    Note that I am not “migrating”; this account is new. Plus, the JSON keys it returns are almost, but not quite, the same as those in a DID document, and the key it returns actually has to be edited by hand in order to be usable.

  7. Update the DID document with the correct key.

  8. Log into Bluesky (bsky.app) and see the brave new world of… never mind, I get a “Profile does not exist error.”

It was at this point that I found this GitHub issue, which seems to imply that, since I deleted my (completely empty and unused) account, my did:web is blacklisted from the remaining mostly-centralized bit of the system, the AppView. The term for this, apparently, is being “burned”.

Asking in the Discord again, I was told as much, and that my best bet is to reach out to support. Support from the company that I am supposedly free from using. Ugh!

I feel that this completely vindicates my view in my other post that asking users - even pretty technical ones - to handle their own PKI without any tooling or even really any documentation is completely untenable. As a long time Fedi admin friend of mine said, this is somehow harder and more error-prone than setting up a Mastodon instance in 2017 - and you expect each and every user to choose between this and centralization?

ATProto may be decentralized, but Bluesky - the social network and social protocol on top of it - is not, at least not in a way anyone can actually use.

Coda

If you’ve been drinking the coolaid, ask yourself this: why is a centralized “burn” able to completely prevent me from interacting with people using Bluesky?

It’s no secret that I don’t like ATProto, but I do actually want to use Bluesky. I find Blacksky really interesting, and I have several friends who post exclusively there. I would love to use Bluesky, with my own domain name, from my own PDS, but I’m not allowed to - because of a centralized authority.

You may be aware that Mastodon has a similar system. If you set up a Mastodon server and then delete the database, anyone you’ve already federated with won’t federate with you again, because you can’t prove you’re the same instance. It’s a genuine issue - but it wouldn’t have resulted in this, because I hadn’t even made a post on my now-burned did:web identity, nor followed anyone.

Even if I had, though, that would have burned a connection, not all connections. My experience would be degraded, but not ruined, and I could work with the admins of the affected servers to remediate it. You could say the same here, of course; maybe (maybe) support will get back to me some day, but it’s just that - support. There is only, really, one connection that matters; maybe two, if you count Blacksky, but their AppView is not generally available yet.

That’s centralization. I don’t understand how you could call it anything else.

mtime Jan 25, 2026; 11ty.js; text CC-BY-SA 4.0; code AGPL 3.0;
view src 
---kdl
title "I Was Right About ATProto Key Management"
tags "Software"
description "I tried to set up a did:web and ended up burning my morning and my domain."
---

So, a while ago, I wrote a post called ["Key Management, ATProto, and Decentralization"](/atproto) in which I complained about ATProto's approach to decentralization. Since then, Blacksky has spun up an AppView, which makes it theoretically possible to have an actually decentralized experience on Bluesky. This was my line in the sand, stated many times; I would make an account when and only when it was possible to do so without using anything running on Bluesky-the-company's hardware.

So, today, I tried that. Let's walk through the process:

1. Set up the PDS software on a server I control. Because I use NixOS, this was basically trivial.

2. Create a did:web. This means creating a public-private keypair; I initially tried following [this tutorial](https://blog.lapyst.dev/posts/14-how-to-create-a-completely-independent-bluesky-atproto-account) from Mai Lapyst, but it's very out of date, and doesn't include a critical step, as we'll see.

3. With that did:web, upload the `did.json` document to my webserver and set the appropriate DNS entries. Easy enough, except that I also had to set the CORS header for the `did.json`.

4. Create an account on my shiny new PDS. I was able to get an invite and create an account, but it was in the "deactivated" status, and I couldn't activate it. It was very frustrating, because I was making requests manually with `curl` and reading the error outcomes in the PDS's logs on my server.

    Oh, and by the way, none of this is documented. Sure, the individual endpoints are - kind of - but the only place the whole process is collected in one place is in the comments to [this GitHub issue](https://github.com/bluesky-social/atproto/issues/3143)... which is closed as WONTFIX.

5. Seek help in the ATProto Touchers Discord server, and at their advice delete the account (foreshadowing!).

6. Start over and re-create everything from scratch, finally noticing the comment line in the comment on the closed GitHub issue telling me to replace the public key in my DID with the public key from `getRecommendedDidCredentials`. 

    The documentation for that endpoint, by the way, reads in full:

    > Describe the credentials that should be included in the DID doc of an account that is migrating to this service.

    Note that I am *not* "migrating"; this account is new. Plus, the JSON keys it returns are almost, but not quite, the same as those in a DID document, and the key it returns actually has to be edited by hand in order to be usable.

7. Update the DID document with the correct key.

8. Log into Bluesky (bsky.app) and see the brave new world of... never mind, I get a "Profile does not exist error."

It was at this point that I found [this GitHub issue](https://github.com/bluesky-social/atproto/issues/3455), which seems to imply that, since I deleted my (completely empty and unused) account, my did:web is blacklisted from the remaining mostly-centralized bit of the system, the AppView. The term for this, apparently, is being "burned".

Asking in the Discord again, I was told as much, and that my best bet is to reach out to support. Support from the company that I am supposedly free from using. Ugh!

I feel that this completely vindicates my view in my other post that asking users - even pretty technical ones - to handle their own PKI without any tooling or even really any documentation is completely untenable. As a long time Fedi admin friend of mine said, this is somehow harder and more error-prone than setting up a Mastodon instance in 2017 - and you expect each and every user to choose between this and centralization?

ATProto may be decentralized, but Bluesky - the social network and social protocol on top of it - is not, at least not in a way anyone can actually use.

### Coda

If you've been drinking the coolaid, ask yourself this: why is a centralized "burn" able to completely prevent me from interacting with people using Bluesky?

It's no secret that I don't like ATProto, but I do actually want to use Bluesky.
I find Blacksky really interesting, and I have several friends who post exclusively there.
I would love to use Bluesky, with my own domain name, from my own PDS, but I'm not allowed to - because of a centralized authority.

You may be aware that Mastodon has a similar system. If you set up a Mastodon server and then delete the database, anyone you've already federated with won't federate with you again, because you can't prove you're the same instance. It's a genuine issue - but it wouldn't have resulted in this, because I hadn't even made a post on my now-burned did:web identity, nor followed anyone.

Even if I had, though, that would have burned *a* connection, not *all* connections. 
My experience would be degraded, but not ruined, and I could work with the admins of the affected servers to remediate it.
You could say the same here, of course; maybe (maybe) support will get back to me some day, but it's just that - support. There is only, really, one connection that matters; maybe two, if you count Blacksky, but their AppView is not generally available yet.

That's centralization. I don't understand how you could call it anything else.
联系我们 contact @ memedata.com