Replying to Valentino Giudice

It can make sense to trust an account based on its NIP-05 identity if you know the domain.

But the checkmark is shown besides the name of just any account that is associated with any domain name, trustworthy or not. Any scammer or spammer can trivially create a domain name and they are often very willing to pay. So the mere presence of a NIP-05 identity proves nothing.

A checkmark doesn't signal that the user needs to manually verify that the domain is one they trust. The message it conveys is that the account is to be trusted. And, again, the presence of a random domain is no evidence for this.

A solution could be to let users specify a pool of domain names that are to be trusted and have the checkmark for those domains.

The issue is that NIP-05 only allow each user to have one identity. So if there are two domains that could verify me, for instance because I belong to two organizations (many people do), I have to pick one and only one. The people who don't know the organization that I picked, but do trust the other, won't see a checkmark, even though they logically should.

Even for its intended purpose, NIP-05 should allow multiple identifiers. But verification is not its intended purpose.
Avatar
daniele 3mo ago 💬 1

The multi domain thought is interesting.

You can technically create more NIP-05 addresses that are simultaneously valid; the pitfall is that currently clients show/verify only one NIP-05 from the "nip05" extra field.

To enable the multi NIP-05 support we could introduce duplicate "nip05" fields (but the JSON would be formally invalid), or have an additional "nip05_alts" with a list of comma separated secondary addresses.

Reply to this note

Please Login to reply.

Discussion

8e
Valentino Giudice 3mo ago

It's something I have suggested before, but didn't get traction.

I actually still think it should be implemented. JSONs must stay compliant. Other than that, I don't care much how the implementation happens, as long as it does.

One issue one might raise is performance. However, this is only a concern if clients load and verify NIP-05 identities for every account every time it's displayed. And the only real reason for doing so is the checkmark, which shouldn't be there anyways.

I think "verification" should happen, for all domains, when the user actually checks the info page of an account, which wouldn't actually require much.