Upon reading the NIP-42 spec, I’m confused 🤔. If every event is signed and therefore verifiably tamper proof, what is the purpose of relays sending a challenge to clients? Couldn’t they simply verify that sensitive events are being sent by the key holder by checking the signature?
Obviously, I’m missing something. But I can’t seem to tell what it is yet. Any #nostrdevs able to help me see the obvious?
Hey! NIP-42 is about client auth, and I can see how that can be confusing bc write events are signed. The challenge is that read requests are not… not to mention sometimes websocket connections for a given user are used to rebroadcast messages for other users. So occasionally you’ll even see events come through for more than one pubkey on the same connection. NIP-42 is a spec that would allow for the websocket connection itself to be authed so that the relay can know immediately on connection who the connection is with. This is useful for private relays, or relays that have some more specific read policies.
@katie that makes a lot of sense. Thanks for clarifying this! 💖
