For that I would rather have the bip39 not the nsec
Shakespeare on-chain wallet experiment: https://nostr-to-bitcoin.shakespeare.wtf/
Your Nostr identity is your Bitcoin wallet. You can send Bitcoin to any npub. No setup is required by either party. It "just works"
Discussion
Indeed. Next we can fix Nostr with HD wallets. If your nsec gets compromised you can just generate another and cryptographically prove that they're linked.
I though everyone was doing it. My nostr key is derived from my bip39 master key.
Most clients don't. It would fix a lot if they did, though. You'd still have to guard the root key with your life. If you lost a child key you could potentially recover by emitting a "move" event from the root key.
The clients should remain dumb to this process to avoid a leak. The users should be deriving the nostr key from their master key that they have thoroughly backed up in steel plates. You can recover the child key as long as you have the master key back up and the index number attached to the child key.
This is primarily a security feature that users must warp their heads around. It has to be done in a secure environment, on a laptop that has never been online and that will never be online, with WiFi/BT and hard drive stripped and by using tails from a USB stick. Clients can't do this in a secure manner.
Probably dedicated signer apps like Amber should do this. I believe Alby already does it.
That was my question: if we can use the child key to derive addresses from it through signer apps, our initial master key would t he exposed even to these apps. I'm not sure whether we can use BIP85 32 bytes hex to derive addresses.
Yes