Replying to Avatar Niel Liesmons

Aha cool, I see! Thanks for the lively explanation ;)

Standardizing the npubXXXX...ZZZZ with 4 chars each is a great idea. Most clients abbreviate in different ways and let the npub take up a looot of space.

Is "fingerprint" the term for abbreviating like that?
Avatar
daniele 2y ago

The fingerprint is usually a string create with an hash function that guarantees the correctness of the information. Using the first/last 4 chars does *not* do this, of course, because the inner part could differ; in fact it is possible to brute force-forge a npub with the same 4+4 chars. Because of that, I used the word "fingerprint" in quotes.

So it is only probabilistic, but it is also unlikely that someone would spoof my mom account ;)

Adding a real fingerprint is possible, but we need a trade-off between robustness and ease of use, I don't know if it is worth it.

Reply to this note

Please Login to reply.

Discussion

Avatar
Niel Liesmons 2y ago

Seems like a decent trade off indeed!

Also, in the story you wrote: how is your mother holding her nsec? I see an option where she trusts you to hold the encrypted nsec (in a more newbie-friendly nsecbunker) and all she has to do to is remember an email and a password.

Avatar
daniele 2y ago

Good point. We know that currently the nsec management is critical, because it's the single point of failure of a nostr sovereign digital identity. I hid it in the "register" step, we will see different approaches.

I think that a good and cheap one is converting the nsec to something that the user can easily write down and doesn't seem data garbage (psychology matters), so he is encouraged to do so with care. A BIP39 seed phrase seems a decent solution. Snort already proposes it.

Maybe clients could offer the option to add an additional passphrase too, so the seed can be shared with a semi-trusted party (ex. a family member) for backup.

The nsec can be encrypted locally and the app requires just a password/pin/fingerprint to unlock. Gossip and Lume already do this (the problem is more sensible in the desktop env because apps are not sandboxed). This solution is robust, user friendly and discourages copy/pasting of the nsec (with a well done procedure of key generation and backup I would not neither let the user to retrieve it from the app!).