Avatar
Tim Bouma 2mo ago 💬 43

I am thinking about creating the concept of a “cpub” or child public key of a root npub. The idea is that the cpub can be provably traced back to a npub. I can have as many cpubs as I want, that map back to the same ‘identity’. If a cpub keypair gets compromised, I can publish an event that invalidates that cpub.

As for clients, when they see what is a cpub, they can resolve back to the root npub and present that identity instead.

The driving requirement is to have a protected root npub that corresponds to my identity; it is high-value so I only want to sign with it when absolutely necessary - keeping it on a hardware signer device.

Any comments on this approach?

Reply to this note

Please Login to reply.

Discussion

Avatar
So Tachi 2mo ago

thats cool

Avatar
HoloKat 2mo ago

Like 👍

Avatar
HoloKat 2mo ago

I vibed a concept signer that does exactly this a year ago but it was just a mock, missing all of the actual cryptography.

Avatar
Tim Bouma 2mo ago

Oh cool. I have been reading up on KERI (key event receipt infrastructure) and hierarchical key derivation (bip32 I think). It wouldn’t be that difficult. I’ve started to prototype the mechanisms to prove the concept out.

Avatar
HoloKat 2mo ago

Awesome 👏 looking forward to it!

Avatar
Tim Bouma 2mo ago

I’ve been reading various fiat world specs that seem to require a lot of voodoo. I think it’s pretty simple in the end, and not that different from (identical to) what is already done in the bitcoin world.

Avatar
HoloKat 2mo ago

Yep. Bitcoin paved the way.

Avatar
Tim Bouma 2mo ago

All figured out in 2013…

ed
ede3d957... 2mo ago

Do it. It's like a HD wallet but for Nostr.

It'll open new possibilities.

Avatar
Tim Bouma 2mo ago

Exactamento.

ed
ede3d957... 2mo ago

Not sure if I can get back to some of my earlier posts as I treat Nostr as my RAM.

But I put in some thoughts around it one or two years ago. If I find it and it looks helpful I'll let you know.

Avatar
Tim Bouma 2mo ago

Cool! Thanks!

Avatar
Basanta Goswami 2mo ago

https://blossom.primal.net/6fbfe01b6cd64e9f51f4267c855e36d16072840171d2caa710e063667b3701cb.mp4

I am playing around with the idea of having two key pairs for new users, one for your daily usage, the other to be kept private till you need to rotate the daily npub/nsec

Will release details soon, built a client and everything to validate the idea, need to do some more work before I am confident this works

Avatar
Tim Bouma 2mo ago

Very cool! The reason I posted because there’s likely people more smarter and more capable than me already working on this. Will take a look. Thanks!

Avatar
Tim Bouma 2mo ago

We thinking of exactly the same idea. My only difference is that I am thinking of key derivation instead of key rotation. The magic of crypto is that I can derive/validatr the child publickeys from the npub without knowing the private key.

Avatar
Robert Allen 2mo ago

Makes sense to me. Seems like the right direction. I’m guessing you will make something like NIP05 (or extension of this NIP) to publish the cpubs related to a given npub?

Avatar
Tim Bouma 2mo ago

I need to experiment first. But I see that an additional tag would be added to the event something like [npub, npub1….], that if it can be related to the pubkey that published the event, the root npub would be shown as the author instead. It would also check an event to see if the cpub has been invalidated or not.

Avatar
Robert Allen 2mo ago

I think I follow. And there would be a note published by the npub declaring it owns a cpub when it is created?

Avatar
Judge Hardcase 2mo ago

This is a cool idea.

If a cpub gets compromised, rather than publishing an event that invalidates it, could you publish an event that tells clients to redirect any use of it to a new cpub?

Avatar
Tim Bouma 2mo ago

That’s the general idea, but details need to be worked. I could also add a ‘not valid after’ timestamp. That would not prevent an attacker from publishing prior fake events, but would prevent anything published after.

Avatar
Constant 2mo ago

I like it in the reverse, but not how you put it, i.e. im able to generate sub ID's for various purposes on the fly that a client/signer is able work with via derivation; making me just having to handle 1 keypair (with the trade off that in case of compromise/loss, i fuck up all that stuff as well)

The main issue with what you are proposing is that it breaks the assumption much of everything works on here, and that is everything resolves around a particular npub. Instead, you put in this extra step required having to run some xpub derivation stuff to see if some pubkey potientially means something else i would otherwise not be aware of.

So in other words, what on earth do i query if i look for your stuff? Do i query a range of derivations? Do relays do that for you? You just broke the whole straightforward pointer basically

Avatar
Tim Bouma 2mo ago

Only if you want the next step. Doesn’t break any assumption.

Avatar
earthcuddle 2mo ago

Derived keys could still be indexed by a common main npub p tag

Avatar
hodlbod 2mo ago

HD keys have been discussed many times. I'd personally rather see a solution to key rotation, because HD keys only improve key security for people who keep their root key safe, which is not going to be most users. Key rotation on the other hand is only slightly more complex in terms of client implementation (although the rotation protocol would be tricky), and would allow users to generate any number of keys on an ad-hoc basis.

Avatar
Tim Bouma 2mo ago

I think it can be key rotation along with hierarchical keys. With key rotation you still need ‘witnesses’, so then you are relying on someone else’s private key.

Avatar
hodlbod 2mo ago

Yes, or open timestamp attestations

Avatar
Tim Bouma 2mo ago

Yup. I am also going to look into nostr:npub1cn670f663n3ks02jnnlsvd5y88zjnefy8343ykaxs7y3nzzketrsrjwt8a's attestation NIP to see if it will do the job as well.

Avatar
Nathan Day 2mo ago

Would help with social recovery I think.

Avatar
Nathan Day 2mo ago

We need a key rotation event published by the key looser with the new npub that can be attested too by others after out-of-band verification.

Avatar
Tim Bouma 2mo ago

Yeah, we could do that for the root key and social recovery for the exceptional circumstance of losing that. The key rotation I am proposing is more for mundane operational stuff.

I am trying to cherry-pick the best of this spec which underpins the legal entity identifier.

https://trustoverip.github.io/kswg-keri-specification/versions/v1/

Avatar
Tim Bouma 2mo ago

At least it would give me a nsec I can plug into all those insecure nostr apps, which then could figure out that it was actually me, without me giving away my Crown Jewels.

Alternatively, if I forget the nsec for some random app, I can derive the private key to get back in.

Avatar
hzrd149 2mo ago

Avatar
Tim Bouma 2mo ago

Happy if you point me to previously failed efforts. At least I did not debut the idea with a NIP pull request.

Avatar
hzrd149 2mo ago

Fair enough, but child keys and key rotation have been a reoccurring topic in Nostr since I started working on it three years ago.

It's complicated, but I think there are two parts that I commonly hear.

Key derivation / child keys and then key rotation. The first will never work in Nostr, IMO. The second one is a very hard problem.

The problem with key derivation and child keys is that it pushes the complexity of the implementation to the edges. So for every user that uses derived keys, all of their followers must look up, check, and verify the keys. Which is a difficult task on its own without considering that users could intentionally or unintentionally use multiple child keys at the same time and increasing the complexity even further.

And finally the problem with key rotation is always keeping key material safe. In thoery an offline master key protects against leaked child keys. But it requires the user to protect the master key, something that apparently they can't do with the child key.

I don't pretend to have all the answers with key rotation, and I admit it's a problem we have to still solve. But IMO it's not as simple as using key derivation

Avatar
Tim Bouma 2mo ago

It’s complex. Agree. But, I am not happy with the voodoo on key rotation I see in the fiat world. Yes, it is complex, and the default should be just a npub. But if there can be an indication that the event originated from a master npub - that could be a good thing. Right now, npubs are perfectly fine for social media and fun stuff, but no way would I pin any business dealings on a using a nsec freely shared in the client-wild. This likely would be for business use cases.

Avatar
il_lost_ 2mo ago

you can choose between frost or higher

Avatar
Tim Bouma 2mo ago

Yeah, frost I need to take a close look.

d5
Queue 2mo ago

Reminds me of SSL certs and PKI. I'm not sure this scales well because the CRL has to be remembered forever and never fail or it creates security problems.

you could once again borrow an idea from PkI: expiration. You could make it so that all children expire (pun intended) so eventually all leaked keys are invalid even if the CRL is lost

Avatar
Sebastix 2mo ago 💬 1

I had a look into https://github.com/Sebastix/mimoty/tree/mimoty.kubo.watch previous week (fork by nostr:npub1gzuushllat7pet0ccv9yuhygvc8ldeyhrgxuwg744dn5khnpk3gs3ea5ds)

Avatar
Gzuuus 2mo ago

Yes, that was the way I came up with it last time I was thinking about key rotation, derivation, subkeys, etc. Instead of making it a standard (which is difficult and hard to agree on), just play by your own rules and create your own signing schemes, derive any amount of keys, etc. No one needs to know anything because, in the end, everything gets signed with your "canonical" keys, so there aren't any new features that client devs needs to take care about. On the other side, the only standard that I think might be valuable for this case of key rotation is social proofs, as other keys attesting/signaling that you rotated. It's the same principle as the wot in PGP, and in Nostr, it could be achieved out of the box. I really want to put together a prototype about this. Maybe I'll have some time soon...

Avatar
Sebastix 2mo ago

I think we have a perfect use-case in nostr:npub1kdstrkmhv0yx8pdqcf9ed8l26752gqprx68twg7qp5nsd7qtegnsr3nsze where a parent (root key) can create a subkey for his/her child. I've already build the logic + code for managing childs within the app including generating a keypair when you add a child.

Avatar
mfostr 1mo ago

https://github.com/wujifoo/nostr-bip-85-prototype

Not sure if this is what you had in mind, but the concept is similar.