Avatar
daniele 1y ago

All clients flag a NIP-05 in some visual way if it is invalid. This can happens for a misconfiguration but more frequently when someone try to impersonate. The problem is that this "flag" (e.g. green/red icon, open/closed lock) is not always obvious, also because it is often next to the profile picture, and newcomers may be confused and deceived. Moreover, an incorrect NIP-05 does not always correspond to spam/scam, so it cannot be further highlighted.

Best pratice proposal: just hide invalid NIP-05s in feeds and threads, and show them only in the profiles, with a proper description of the problem.

#nostrdesign

Reply to this note

Please Login to reply.

Discussion

Avatar
HoloKat 1y ago

There’s no way to utilize nip5 for any sort of verification. For it to be useful, you have to know people’s nostr address. Scammers can register a free one and still look legit to someone who has no idea what that person’s actual nostr address is.

I think Nostur has the best solution in place with impersonator tag

Avatar
daniele 1y ago

I know it is for identification, except for rare cases, in fact few weeks ago I updated NIP-05 to clarify that.

And that is precisely why there is no point in showing it everywhere, especially if it is invalid. The point is to simplify the interface (I know, I won you over here, haha) and avoid exposing a detail that is unnecessary and may indeed be confusing.

Intead in the profile, with a proper explanation, it can be useful to debug misconfigurations or have a clearer idea about what the profile is trying to do.

What is this impersonator tag?

Avatar
HoloKat 1y ago

https://nostrdesign.org/docs/how-to/impostor-prevention/

Avatar
daniele 1y ago

Interesting approach, but it seems resource intensive (calculate images hashes or similarities for all the social graph is heavy) and I suspect it can be quite fragile. Probably WoT is quicker and safer. Btw, NIP-05 is not involved here, even if it can be used to compose the final score.

Avatar
HoloKat 1y ago

This was before wot

Avatar
Braydon Fuller 1y ago

Yup, it needs to be remembered and known. That is why I think it is a good idea to be able to verify an account user metadata, name, nip05, website and etc. Verified values can be recorded via an attestation event/note that could be private or public. I've drafted up a wireframe of this and NIP on how it could work.

Avatar
Braydon Fuller 1y ago

Here is the mentioned animated wireframe of how what I described could work:

https://raw.githubusercontent.com/braydonf/nostr-key-migration-and-revocation/89a9437e958f44bf748f145b85e603d83cf7ef2f/graphics/ux-storyboard-animation.webp

And NIP text:

https://github.com/braydonf/nips/blob/secure-profiles/xx.md

Avatar
daniele 1y ago

Interesting. Probably the attestation can happen as optional step after following the user, and be included in the follow list (kind 2). This would make the adoption easier.

Avatar
Braydon Fuller 1y ago

Sure!

Perhaps as well, private attestations could be made with a follow for just the name and profile image, as a starting point.

Avatar
Raymon 1y ago

That's what Raymon tells since months...

Avatar
Braydon Fuller 1y ago

IDK, I often look at the Nostr Address/NIP05 checks in comments, some folks' are easy to remember (yours for example). Amethyst does well here, atleast.

Avatar
daniele 1y ago

Probably when name and display_name differ, and the client shows only display_name.

In this case NIP-05 functions as a name substitute.