Nostr Web Client

One of the less discussed ramifications of bare #nsec login to #Nostr apps is that it leaves the user with the impression that their private key is only used for logging in. All of the signing that is done using that key after login is entirely hidden from the user.

This leads to a fundamental misunderstanding of how Nostr works and why private keys are so important for this protocol in the first place. A signature attached to everything you do is why Nostr is trustless and permissionless. There is no need for a third party to verify that your npub legitimately posted a note, reacted to another note, or zapped someone, because the signature attached to each of those actions is self-authenticating.

This becomes much clearer when you use a signer app that is asking you to approve a request to sign every time you do something new that you haven't previously authorized it to auto-approve.

Reply to this note

Please Login to reply.

Discussion

Matt 9mo ago

Yup. Like permissions on iPhone.

I’ve added separate signing flow in my project for this reason: https://github.com/dk14/wolfram-mega/blob/main/src/client-api/service/oracle-service.ts

we developing protocol to advertise authentic oracles (original sources of data) for btc/UtXO contracts; signing oracle’s ads and new questions it can answer is moved out of regular workflow. We manage Oracle in one place - authentify in another (proof of concept, did not even write signer yet :)).