The payload is signed by the author therefore if you trust the author you trust the payload
Discussion
Nope doesn’t work like that . All it does is verify the note originated from a pubkey
The note contains the payload, in this case a hypernote element, where is the problem? 🤷
You have no idea whether that account has been compromised. You have no idea whether somebody has placed arbitrary scripts within that payload. All signing does is provide proof of authorship, it does not provide proof of author other than it was signed by something with the public/private key pair. It does not validate or verify the content. The threat level in these systems is always what’s in the content.
The early web had the same problems. We’ll go through this exact same cycle with nostr.
Just because you can do something, it’s not always a good idea too do it, until. You’be mitigated the risk of bad actors. There will always be bad actors, it’s a fact of life.
Personally, I wouldn’t trust this implementation until it can be verified. Right now, I would treat it as a moderate cool, but cautious of its safety
You are pointing to features of PKC, where a private key can be used by anyone who has it and produce valid signatures. This is not introduced by Nostr, PGP has always had an advisory of a trust relationship between the key and the entity supposed to be behind it. The solution is web of trust, where there are out-of-band ways to determine links between the key and the person behind it. On the other hand, I'm not sure if you understand how Nostr event signatures work. Of course, it is a verification that the content field of the event is by the author who signed the note; it cannot be changed or modified and still be valid for the signature. Each Nostr event is a portable, self-signed certificate; it is tamper-evident against any modifications. Also, this note can explain more things about HN security measures.
To pinpoint the exact threat. The hypernote element contains executable code.