This would require an overhaul of clients and any relays that use wot, auth, or similar features, correct?
Cold Root Identity v0.1.0 is live.
Nostr was never meant to run long term identities off a hot private key sitting inside a mobile app.
This repo ships a clean model that fixes it without changing the protocol:
offline root key
-> deterministic epoch keys
-> signed lineage event
-> clients follow rotations safely
All using standard NIP-01 events and ed25519 signatures.
No relay changes. No NIP changes. Just better key hygiene.
Spec, docs, test vectors, and a working Python CLI are here:
https://github.com/GHOST-UntraceableDigitalDissident/cold-root-identity
If you’re a client dev, this gives you everything you need to support safe identity rotation today.
Discussion
No overhaul needed. Relays don’t have to know anything about lineage. They already store opaque JSON and ignore tags they don’t understand. This fits inside NIP-01 as is.
For clients that use WoT or auth features, nothing breaks. The root key doesn’t change. The epoch keys still verify back to the same identity using a signed lineage event. It’s additive, not a replacement. Clients can keep doing whatever they’re doing today and simply optionally follow the rotation chain if they want stronger key hygiene.
It’s a client side improvement path, not a protocol rewrite.
I’ll add a client integration guide to the GitHub repo later tonight.