Replying to Avatar hodlbod

The spec or the implementation?
Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

the implementation

the spec is hard to read, i could try and write it based on the spec, i may yet, it's just not a high priority for me right now

i don't quit have my head wrapped around how it works but HMACs are annoying anyway, signatures do the same thing, and if the thing inside is signed and only the receiver can unpack that then there is security, and if the client can maintain the state of that, it could turn into a chain if you sent one or more future pubkeys to reply with, since the sender can identify a reply by that

but i think it's lower priority than getting everyone to fully support NIP-42 so the relays don't hand out these messages to anyone who hasn't proved they are the valid parties to the messages

Reply to this note

Please Login to reply.

Discussion

Avatar
hodlbod 1y ago

Yeah, the HMAC thing was discussed in the audit. I don't fully understand why paul went that direction, but it does work as long as it's in an event

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

well i'm just telling you that that the go implementation is definitely divergent from the javascript version

and the javascript version seems to not be referred to by the NIP actually, i know your codebase has it but it's not pointed to by the NIP

there really should be an interop test for this, preferably one that uses randomly generated content so it's only repeatable if it's correct

Avatar
hodlbod 1y ago

The javascript version comes from paul miller's reference implementation, it's basically copied over into nostr-tools

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

https://github.com/nbd-wtf/nostr-tools

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

of course i don't know it because javascript is the most abominable language ever invented, and i curse Griesemer, he only avoids hell by helping build Go