Replying to Avatar Gary Woodfine

You have no idea whether that account has been compromised. You have no idea whether somebody has placed arbitrary scripts within that payload. All signing does is provide proof of authorship, it does not provide proof of author other than it was signed by something with the public/private key pair. It does not validate or verify the content. The threat level in these systems is always what’s in the content.

The early web had the same problems. We’ll go through this exact same cycle with nostr.

Just because you can do something, it’s not always a good idea too do it, until. You’be mitigated the risk of bad actors. There will always be bad actors, it’s a fact of life.

Personally, I wouldn’t trust this implementation until it can be verified. Right now, I would treat it as a moderate cool, but cautious of its safety
Avatar
Gzuuus 4mo ago

You are pointing to features of PKC, where a private key can be used by anyone who has it and produce valid signatures. This is not introduced by Nostr, PGP has always had an advisory of a trust relationship between the key and the entity supposed to be behind it. The solution is web of trust, where there are out-of-band ways to determine links between the key and the person behind it. On the other hand, I'm not sure if you understand how Nostr event signatures work. Of course, it is a verification that the content field of the event is by the author who signed the note; it cannot be changed or modified and still be valid for the signature. Each Nostr event is a portable, self-signed certificate; it is tamper-evident against any modifications. Also, this note can explain more things about HN security measures.

nostr:nevent1qqs0h39n5ta2flyywwff4tts4ey8zjmfzlmp4q82k4rsusz3arltstcpz3mhxue69uhhwmm59ehx7um5wghxuet59upzqrtvswydevzfhrw5ljxnmrpmhy778k5sh2pguncfezks7dry3z3nqvzqqqqqqyzn350y

Reply to this note

Please Login to reply.

Discussion

No replies yet.