Replying to Avatar mike

Although you are not aware, every message you write here is cryptographically signed by your private key which matches your public key, so we know the owner of the private key wrote it.

If you wish to verify your identity beyond the fact you hold your private key, then you can optionally verify your identity by storing your public key on a webserver, either yours or somebody else you trust.

If you own the website, you can prove that the owner of the website also owns the private key that signs each message posted here on NOSTR.

If you look at my profile, you will see I am verified as mike@mikehardcastle.com which means I stored my public keys on my website in this file here:

https://mikehardcastle.com/.well-known/nostr.json

Avatar
ManiMe 7mo ago 💬 2

This is not entirely accurate:

> “If you own the website, you can prove that the owner of the website also owns the private key”

The only thing Nip05 (nostr addresses verified by web domains) proves is that “this is address has a pubkey associated with it”.

These pubkey/addresses associations are not signed by a private key and may be changed by the domain owner at any time.

Reply to this note

Please Login to reply.

Discussion

Avatar
mike 7mo ago

No, I was entirely correct.

Your attempt to correct me is ambiguous.

I can however explain more precisely.

It may not be the website owner that owns the key, but you at least have the permission of the admin for the site to upload the file.

The json file contains a HEX converted copy of your public key, along with relay list to find you on.

Anybody can generate that hex translation, but only somebody with permission can upload it to a website.

By definition, this creates a relationship between the holder of the private / public key pair and the web site admin / owner.

In my case, I both own and administer my domain name, I can therefore verify myself.

This is a100% correct explanation and does not need your incorrect challenge of it.

This is why around a year ago, the fake Forbes reporter failed to persuade anybody to give an interview because they could not upload the hex version of their public key to the forbes.com website meaning they did not work for Forbes.

This is incredibly powerful if you think about it. Even more powerful for companies than individuals.

Avatar
Jose Sammut 7mo ago 💬 1

stand ya base mike

Avatar
mike 7mo ago 💬 2

I wouldn't mind, but I'd just done a podcast about it 😂

Avatar
ManiMe 7mo ago 💬 1

I appreciate your statement that NIP05 “verification” from a “trusted” (by some other means) domain carries a lot of weight in “vouching for” pubkey. But still… your OP statement is problematic.

> “If you own the website, you can prove that the owner of the website also owns the private key”

NIP05 on its own (aside from the credibility of the issuing domain) does not “prove” private key ownership.

I love you Mike, but srsly.

Avatar
mike 7mo ago 💬 1

You are discussing semantics within a proposal which I haven't even bothered mentioning within my explanation.

I love me too 😂

Have a nice day 🫂