Nostr Web Client

Replying to NPC

You should consider changing the protocol to support HD rotating keys. Linking profiles identity to a single static pubkey is horrendous. It's unsecure. Haven't you thought about this since nostr debut?

Also,do you know where is that guy who is in GitHub trying to do this? He posted a link here weeks ago. I'm searching for him.

fiatjaf 6mo ago

I don't have any power to change the protocol, all I can do is create a new protocol with different rules and I don't think that would help anyone.

Also dynamic keys introduce too many complications that ultimately make Nostr suck.

There are solutions to make our single keys safer. The main solution is called the bunker. And there are solutions to make it so that losing your main key isn't as bad as it may be currently. These solutions do not require creating a new protocol.

Also any scheme that involves key rotation or whatever still requires the concept of a "master" key. And that key has to be kept secure anyway, so you're really not solving anything.

Reply to this note

Please Login to reply.

Discussion

Girino Vey! 6mo ago

The solution should involve revoking the compromised key and linking it to the new one. Clients would then display notes from the old key up to the revocation point, and from the new key thereafter. If your key is compromised, revoke it and establish a link to the new one. Clients could follow the new key automatically or manually—it doesn't matter.

Ross 6mo ago

In this scenario who runs the key registries and how do you trust registry A vs B?

Girino Vey! 6mo ago

Why use registries? Just broadcast a revocation event to as many relays as possible. Key revoked.

Ross 6mo ago

If I steal your key and revoke it what happens then?

Girino Vey! 6mo ago

you saved me time by doing what i needed to do.

Ross 6mo ago

I control the key too and just tell everyone to follow my new account. You do the same. How is this resolved?

Girino Vey! 6mo ago

The same way as people identified you in the first place. Someone that knows IRL you can confirm your identity, or use nip05 to verify, or another social media, telegram, email, phone, whatever.