What are nostriches views on nostr extension approval requests?
#asknostr
nostr:note1g8djdmecreufhsx8mjqf99gkvgz4q6sh8f03y88xg8akfxewdf7q5anjky
Discussion
In general I like to know what I'm signing... It is also a good policy IRL.
nostr:npub1ajdaw3j4g6aqv86alhn3df8jpulj0mxz3jjgwpm4uh598hc348gqthdt20
Can you specify which app, signer, and OS you experienced this pain with?
Can you kindly provide a screenshot of the cryptic authorization message?
I'm not experiencing pain. I was just answering your question about how I feel about manual VS. carte blanche signing.
Understood.
Can you clarify which apps?
Which apps for what? I'm sorry this conversation feels a little bit AI-bot-ish.
You mention “In general I like to know what I'm signing”
In your experience, which apps led you to not be sure what you are signing on nostr?
For example, “amethyst and amber signer on android”.
Yeah, that is why I don't give apps the direct access to the nsec and why I limit what permissions they have in Amber.
I read the raw json of the notes to see what is in it.
That's paranoid. Like you really belive that, say amethyst, will show you 100 times the real thing and then suddenly go rouge?
Yeah it is a bit. In the case of Amethyst it can do posts, comments, reactions, drafts, but for example addition to follow list is something I still check manually to make sure that the newly signed list is not damaged. I'm not thinking that Amethyst would do this maliciously, but it can still happen due to a syncing error for example.
fair enough
I would rather be asked to approve signing, and have the option to set that particular type of request to automatic in the future, or leave it a manual approval as I see fit.
I would also like approval requests to be very clear about what they are for. I'll pick on the nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8 a bit for this one. When you are signed in with Amber and you tap to install an app, Amber pops up a signature request that just tells you its for a "Job request" without any information about what sort of job is being requested. Selecting "Show Details" gives very little help.
Would the average user know what to make of that, or what the Zapstore is going to be using their signature for?
After doing a bit of digging, I discovered that this request is simply to find out the application publisher's "reputation" with the users I follow. In other words, which users that I follow that also follow the app publisher. That's a request I am fine with signing for, but the average user is going to have NO IDEA what a kind 5312 is for, or where to even start investigating it.
So, yes, I want to see what my key is being used to sign for, and have the option to accept or reject it, but only if the signing request can be put in plain language what I am signing for. Otherwise, I'm just going to default to rejecting the signing request.
I also only want one signing request at a time. Wait to send more until the first has been accepted or rejected. Not sure if this is more on the end of the extension needing to hold the additional requests in a queue, or if the client should only be sending the signer one request at a time, but it needs to be addressed. This is particularly an issue with DM decryption requests...
The amount of things that need to be signed may be able to be reduced as well. Anything that requires an event to be published to relays will always require a signature, and anything that is being retrieved from a relay that requires AUTH, as well, but not much outside of that should need to be signed. Thing is, almost everything needs to be saved to relays in order to enable interoperability with other Nostr clients. Anything that doesn't require a signature is obviously not being stored on relays, and is therefore not going to show up when you switch to a different client.