It can make sense to trust an account based on its NIP-05 identity if you know the domain.
But the checkmark is shown besides the name of just any account that is associated with any domain name, trustworthy or not. Any scammer or spammer can trivially create a domain name and they are often very willing to pay. So the mere presence of a NIP-05 identity proves nothing.
A checkmark doesn't signal that the user needs to manually verify that the domain is one they trust. The message it conveys is that the account is to be trusted. And, again, the presence of a random domain is no evidence for this.
A solution could be to let users specify a pool of domain names that are to be trusted and have the checkmark for those domains.
The issue is that NIP-05 only allow each user to have one identity. So if there are two domains that could verify me, for instance because I belong to two organizations (many people do), I have to pick one and only one. The people who don't know the organization that I picked, but do trust the other, won't see a checkmark, even though they logically should.
Even for its intended purpose, NIP-05 should allow multiple identifiers. But verification is not its intended purpose.
Ahh gotcha. I wasn’t thinking of those general providers that let anyone pay and then give the name. I don’t trust those at all because anyone can just make a famousName@generalProvider and get the check. The domain is what matters to me not the name. I was thinking more of the situation where I own my domain so I list my public key there so people know which pub key my domain has blessed. But I don’t bother with any of that when I’m posting from one of my many alts like this one.
That's not even the only issue. What I was referring to is that anyone can pay a DNS registrar and have their very own domain name. And scammers create website with their own domain names very often, so the fact that they can isn't just hypothetical.
If someone creates a domain name and a NIP-05 identity with that domain name, clients will show a checkmark. Of course users can manually check that the domain name is a trusted one, but a checkmark conveys that the user is "verified", while the only thing that's been verified is that the owner of the account controls a domain name, which tells us nothing about trustworthiness.
Thread collapsed
Thread collapsed
The multi domain thought is interesting.
You can technically create more NIP-05 addresses that are simultaneously valid; the pitfall is that currently clients show/verify only one NIP-05 from the "nip05" extra field.
To enable the multi NIP-05 support we could introduce duplicate "nip05" fields (but the JSON would be formally invalid), or have an additional "nip05_alts" with a list of comma separated secondary addresses.
It's something I have suggested before, but didn't get traction.
I actually still think it should be implemented. JSONs must stay compliant. Other than that, I don't care much how the implementation happens, as long as it does.
One issue one might raise is performance. However, this is only a concern if clients load and verify NIP-05 identities for every account every time it's displayed. And the only real reason for doing so is the checkmark, which shouldn't be there anyways.
I think "verification" should happen, for all domains, when the user actually checks the info page of an account, which wouldn't actually require much.
Thread collapsed
Thread collapsed
