Someone help me out to see if I am onto something, or if my non-technical brain is not understanding how this stuff works.

We want to be able to have private relays for groups, that the notes published to those relays can't be arbitrarily rebroadcast out to other public relays by anyone with read access to the relay, right?

What if private relays required a multi-sig before the note was stored on the relay, one from the note author and one from the relay owner, who set a policy to automatically sign any note received from a white-listed npub? As I understand it, a multi-sig signature can look like a single signature in some signing schemes, so any other public relay would be expecting the note to just be signed by the author, and reject it since the signature wouldn't match that author's single signature, but the private relay, and any client reading from it, would expect it to be signed by both the author and the relay, and would verify it.

Am I just not understanding how this all works, or is this a theoretical possibility?

#askNostr