Replying to Avatar Note Appreciator

It’s really useful still for the reason you outlined. I see a domain I trust so I know the npub associated with it is trustworthy. When searching for accounts it is the only thing that I can use to tell me which accounts are real and which are imposter accounts if I don’t already have a web of trust. Either you do that or you have to have them tweet out their npub like some users did. Or just give you a npub irl or via a direct message on another trusted platform. Domains are everywhere and until there is a better way of doing this. I think the check marks should remain.
8e
Valentino Giudice 3mo ago 💬 2

It can make sense to trust an account based on its NIP-05 identity if you know the domain.

But the checkmark is shown besides the name of just any account that is associated with any domain name, trustworthy or not. Any scammer or spammer can trivially create a domain name and they are often very willing to pay. So the mere presence of a NIP-05 identity proves nothing.

A checkmark doesn't signal that the user needs to manually verify that the domain is one they trust. The message it conveys is that the account is to be trusted. And, again, the presence of a random domain is no evidence for this.

A solution could be to let users specify a pool of domain names that are to be trusted and have the checkmark for those domains.

The issue is that NIP-05 only allow each user to have one identity. So if there are two domains that could verify me, for instance because I belong to two organizations (many people do), I have to pick one and only one. The people who don't know the organization that I picked, but do trust the other, won't see a checkmark, even though they logically should.

Even for its intended purpose, NIP-05 should allow multiple identifiers. But verification is not its intended purpose.

Reply to this note

Please Login to reply.

Discussion

Avatar
Note Appreciator 3mo ago 💬 1

Ahh gotcha. I wasn’t thinking of those general providers that let anyone pay and then give the name. I don’t trust those at all because anyone can just make a famousName@generalProvider and get the check. The domain is what matters to me not the name. I was thinking more of the situation where I own my domain so I list my public key there so people know which pub key my domain has blessed. But I don’t bother with any of that when I’m posting from one of my many alts like this one.

8e
Valentino Giudice 3mo ago

That's not even the only issue. What I was referring to is that anyone can pay a DNS registrar and have their very own domain name. And scammers create website with their own domain names very often, so the fact that they can isn't just hypothetical.

If someone creates a domain name and a NIP-05 identity with that domain name, clients will show a checkmark. Of course users can manually check that the domain name is a trusted one, but a checkmark conveys that the user is "verified", while the only thing that's been verified is that the owner of the account controls a domain name, which tells us nothing about trustworthiness.

Avatar
daniele 3mo ago 💬 1

The multi domain thought is interesting.

You can technically create more NIP-05 addresses that are simultaneously valid; the pitfall is that currently clients show/verify only one NIP-05 from the "nip05" extra field.

To enable the multi NIP-05 support we could introduce duplicate "nip05" fields (but the JSON would be formally invalid), or have an additional "nip05_alts" with a list of comma separated secondary addresses.

8e
Valentino Giudice 3mo ago

It's something I have suggested before, but didn't get traction.

I actually still think it should be implemented. JSONs must stay compliant. Other than that, I don't care much how the implementation happens, as long as it does.

One issue one might raise is performance. However, this is only a concern if clients load and verify NIP-05 identities for every account every time it's displayed. And the only real reason for doing so is the checkmark, which shouldn't be there anyways.

I think "verification" should happen, for all domains, when the user actually checks the info page of an account, which wouldn't actually require much.