Replying to Avatar HoloKat

Practice safe nsecs
Avatar
Sep 1y ago

Review your key management practices today. πŸ” It’s important to stay secure, especially as we build more apps. πŸ’œπŸ‘€

nostr:note1qr85qsvq69es3s6403p04cnd3yaq34382ufuy25dt77pe3f5sj4qf9dpdm

Reply to this note

Please Login to reply.

Discussion

Avatar
Luke Dashjr 1y ago

Is it yet possible to have an offline key that can revoke and reissue the online key?

Avatar
Sep 1y ago

No, it's not. We can't revoke keys from accessing things that they had access before. Do you have any ideas around this?

Avatar
Luke Dashjr 1y ago

Don't use the keys for access.

Revocation seems fairly simple on nostr. Not sure what needs explaining.

The hard part of nostr delegation is the UX since keys are displayed to end users

Avatar
Ϊ©ΫŒΩ‡Ψ§Ω† 1y ago

Can you exactly explain the key management model in your mind?

Avatar
Luke Dashjr 1y ago

Offline key signs messages about what other keys can represent it

Those other keys go in your clients

If one gets compromised, master key signs a revocation and merkle tree of pre-revocation signatures

Avatar
Sep 1y ago

that's NIP26 - Delegated event signing, but it's kinda deprecated:

https://github.com/nostr-protocol/nips/blob/master/26.md

Avatar
Luke Dashjr 1y ago

So review our key handling practices, but it's still impossible (or deprecated) to actually have good ones...?

Avatar
Sep 1y ago

do you think using delegated event signing (at least the way mentioned in NIP-26) is the best practice of managing our keys?

Avatar
hodlbod 1y ago

Key delegation and revokation (or even better, rotation) are badly needed, but NIP 26 isn't it.

Some recent discussion on the topic: https://github.com/nostr-protocol/nips/pull/1452

I'm sure your perspective on the problem would be very welcome.

Avatar
fiatjaf 1y ago

It's not really necessary, because it is impossible.

Avatar
hodlbod 1y ago

Someday I'll sit down and singlehandedly solve social key rotation

Avatar
Nathan Day 1y ago

Attestations can help I think.

Avatar
EZ 1y ago

#YESTR

Avatar
b0b 1y ago

How does it currently work? Do nostr clients store the private key on their servers after it's submitted by the user?

Avatar
hodlbod 1y ago

Usually it's stored in the app/browser, hopefully never on the server. You can also use extensions like nos2x or alby to protect your key from the app, or you can use NIP 46 signers like nsec.app or Amber to hold your own keys and sign remotely.

Avatar
b0b 1y ago

Thank you for the explanation. I'm looking at the NIP-46 doc and it's really a neat solution.

Avatar
❒ PictureRoom 1y ago

Best recommended ways to do that?

Avatar
Sep 1y ago

I would love to hear nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z & nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn & nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 opinions on key management practices πŸ€”

Avatar
❒ PictureRoom 1y ago

What do you do for yourself?

Avatar
brugeman 1y ago

I just use nsec.app it's non custodial and works great everywhere except for ios

Avatar
Bitcopath 1y ago

ios don't like anything non custodial

Avatar
Vitor Pamplona 1y ago

Amber and nsec stored in a password manager. Ncryptsec if I need to move the key around.

Avatar
Ϊ©ΫŒΩ‡Ψ§Ω† 1y ago

I think end users needs a good way to handle it.

Safe, accessible, easy.

Current key managers don't have these 3 at same time.

Sadly I'm one person. Otherwise it was my other project.