it's insane the contortions that the W3C has gone through to avoid letting people just have PKI for auth instead of all these backwards-ass archaic and insecure schemes. i mean, ok. JWT is theoretically PKI auth, but overly complicated and retarded, and inflexible with the signature algorithms. i played with it for a while and hated it. essentially nostr auth events are the same exact thing in principle.

i mean, i was using RSA tokens to log in and file my fake tax returns for my "religious organisation" back in 2001-2008. when the organisation actually cares about security, they use PKI, but none of the web services actually give a shit about security, that's why it's all cookies.