Subnostr

the idea of my main nostr private key being handed to random nostr apps for signing random application events seems crazy. the number of popups to sign seemingly random events is too great and blindly signing events is a horrible idea.

why can’t I login to some nostr app by signing a single event with my main key, where that single event is me authorizing an auto generated, application-specific identity that the app can go wild with?

in retrospect, ive reinvented oauth2.

why don’t we use oauth2 in nostr?

jb55 2y ago

This is delegated event signing https://github.com/nostr-protocol/nips/blob/master/26.md

Reply to this note

Please Login to reply.

Discussion

ben 2y ago

lol exactly. do you know of any clients using this scheme? skimming the pr it looks like it was rooted in minds dot com

jb55 2y ago

I like it but many nostr devs do not so it just hasn’t been adopted. I think nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 even removed it from nostr-tools recently.

ben 2y ago

ack. I will go spelunking to learn more. at face value it makes sense to me 🤔

frphank 2y ago

I'm X.509 "delegations" are just called "certificates". Why invent new terminology?

Also in X.509 certificate chains of arbitrary length are allowed so that each user may choose the level of indirection that suits their security needs.

frphank 2y ago

*In X.509 ...