In order to sign a message the private key is going to have to be in the memory of *something*. Eventually we’ll be able to delegate keys out from a master key which will be revocable in some way which will make it a little less of a disaster if it gets exposed.
Discussion
So for now when signing into an app, one cannot use an extension because the app cannot connect to the extension that is holding the key right?
Right. If we are talking mobile I don’t think it’s really possible in a usable way yet. Delegated keys with the “master” kept in a hardware signing device will probably be the way I want to use nostr when it’s possible.