Replying to Avatar Tim Bouma

I think NIP-05 is super-powerful because it gives an external trust context to an #npub. Some might argue, it is insecure, but that’s really a function of how the domain is managed and how you decide to trust.

NIP-05 also gives a really good bridge to the legacy world, and everyone knows how to read and make a judgment of a domain name (yes, I know about threats of character substitution, spoofing, etc., but that can be mitigated). All the DNS lookup stuff is deeply baked in the OS, so there is little reason not to use it.

If you dig into DNS, it’s not really centralized, as many claim.Yes, there is a root, but everything is delegated from that point downward. So it’s not really centralize or decentralized: I like to call it ‘delegated’. DNS (or more specifically DNSSEC) works for nation-states that are bombing each other, so I don’t see why it wouldn’t be leveraged by #nostr in a hopefully less-adversarial environment.

Finally domain names (URIs, URNs) have superpowers- have a read of RFCs 3986 and 8141. By their very structure, you, as a human, can read out the authority structure of a URN/URI before deciding what to do with (usually, trust). You can’t read a QR code, but you can read a text URI/URN to make a device-unassisted trust decision
Avatar
Melvin Carvalho 1y ago

Yes, but HTTP is not legacy. It powers nostr too. You have to remember DNS was a small tool, by Jon Postel that was hooked on to HTTP at the time because it was useful You can think of DNS assomething like HTTP-NIP-05. But it just grew and grew. And when things grow, centralization creeps in. If nostr made an alternative to DNS and it grew the same size (it wont) the same, if not worse, centralization would creep in. Nostr nor http are tied to DNS anyway. Nomen for example is an excellent solution there. NIP-05 is pretty secure, and provides rich profiles on the web.

Reply to this note

Please Login to reply.

Discussion

Avatar
Tim Bouma 1y ago

HTTPS is great. Unfortunately most think you need to be blessed by a browser root program and CA to use it. Part of that capture has been mitigated by Let’s Encrypt (thank god) and there are other schemes like DANE (domain authentication of named entities) where you can self-generate and self-register your own cert using DNSSEC. But the browser vendors/CAs have little interest in implementing because that cuts them out of the authority loop.

It’s not so much centralization I am worried about; it’s more about authority-creep that leads to centralization.