Replying to Avatar DETERMINISTIC OPTIMISM 🌞

One of the biggest technical hurdles for Nostr is finding a way sign events on web apps without browser extensions and without sharing the nsec with the web.

The browser is your enemy...

As soon as there is any meaningful growth in user base, let's say the next adoption cycle "and nsec gone"

Sure, nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft created NSECBunker, but there has not been any adoption or alternatives coming up.

Avatar
David Caseria 1y ago

What are your thoughts on a chain of trust structure for nsecs? A user would have a root nsec stored on a hardware device. When a Nostr app wants to authenticate a user, it can request a signed event from the root nsec to attest for the newly generated client-specific nsec. The root nsec stays secure and can revoke the client nsec later, and the client doesn't need to deal with any remote signing.

Reply to this note

Please Login to reply.

Discussion

Avatar
Hazey 1y ago

But how will others know they're from the same user

Avatar
David Caseria 1y ago

One idea is to have a tag reference the root public key. The client verifies the event is authentically published by querying for the attested public keys from the event published by the root key