It’s the public key, npub1gh4z9pyza2g9y87xte7nzkgwhe3xtwt9g7rannvfec4s9vl5vlwqseq4nu in your case, which is unique and can cryptographically be signed and trusted, not the @user.
Discussion
Right, but if there are two profiles, one is the real person and one is an impersonator.. how do I know which one is legit? Im just saying by looking and comparing at the two profiles.. the key doesn’t matter because I don’t know which account to trust. Does that make sense?
The eve impersonator can’t sign messages with the private key of the public key which belongs to @jacks profile. On some profiles you see the purple NIP05 checkmark, which would be another indicator.
For example if I own joern.com I could link the public key of this @joern username to joern@joern.com. To do so I need access to the configuration of that domain. Fraudsters can’t do that too.
#[2]
for example linked his pubkey to cash.app by placing this to the cash app domain https://cash.app/.well-known/nostr.json?name=jack
Got it! So linking to a website is a form of verification. Are there other ways to signal that you’re the real person besides linking to a site?
You can upload a selfie with your pubkey written down on a piece of paper or link your key on your other social media accounts like twitter, instagram or whatever
Is that a new paradigm shift in this web3 world… the burden to prove authenticity is on the user?
No, ideally the clients do it for you and give you the hints. It’s like https and the green lock in your browsers address bar. Back then it was just a lock, then warnings became more sophisticated. It’s just a matter of time until it will get build into the clients here but fundamentally it’s the same cryptographically verifiable trust relation.
Also, what’s stopping Facebook from just assigning/exposing a public key for every user? In that scenario, Jack could just link that key to the cash.app site as well to prove his identity