Replying to Avatar unl0ckd

I love the decentralized nature of Nostr, but I have a nagging concern about my Nsec. If this secret is ever compromised, my entire identity across Nostr is compromised.

Is there a method to rotate breached nsec based on my npub? How would this work?

I would only possess an authenticate token, my npub, that anyone would know or could find out. I like how private Nostr is, but without having my nsec/npub associated with another identity like my email, it seems like I must protect my nsec at all costs.

I store my nsec in 1Password, so Iā€™m not overly concerned about disclosure of my nsec locally, but I worry that another strength of the Nostr ecosystem (as I understand it after using it for 48 hours) could prove to be a security weakness: all Nostr clients must protect my nsec equally. If one of them ever mis-handles this secret, my entire Nostr identity is compromised.

Am I understanding Nostr Authentication properly?

#asknostr
Avatar
Ryan 3mo ago šŸ’¬ 2

Use a signing app, then only one app will have access to your private key.

Android only. Supports most Android apps & bunker connections.

https://github.com/greenart7c3/amber

Cross platform, supports bunker connections.

https://github.com/ZharlieW/Aegis

https://github.com/haorendashu/nowser

Reply to this note

Please Login to reply.

Discussion

Avatar
unl0ckd 3mo ago šŸ’¬ 1

I will look into these, thanks for the pointer!

The problem now is trusting the signing app :(

Is there an official Nostr governing body that can set standards and guidelines here or is it early enough that the community is doing so from the ground up? It seems like the latter, but Iā€™m still a Nostr n00b.

Avatar
Ryan 3mo ago šŸ’¬ 1

Nostr has no governing body. Community driven development.

Of the 3 apps Amber is the most mature, and is made by nostr:nprofile1qqs827g8dkd07zjvlhh60csytujgd3l9mz7x807xk3fewge7rwlukxgpz9mhxue69uhkummnw3ezumrpdejz772u5wm

If you are on Android this is likely the best choice overall.

Nowser is made by nostr:nprofile1qqszjvsfwh0c2hlrffa5ttdzgg0zcaquxlqpx6gplerhzvafr6cckpcppemhxue69uhkummn9ekx7mp0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qg4waehxw309ahx7um5wghx77r5wghxgetk9u0ww7wd and includes a web browser, which is handy for Nostr web apps

Aegis is made by nostr:nprofile1qqs0zu6pvt8qzkqgveurm7jsx0qjkr8q98uq29dwud0q34crmv2mtaspzamhxue69uhhyetvv9ujuvrcvd5xzapwvdhk6tcppemhxue69uhkummn9ekx7mp0qy08wumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wshsx29rvf

Avatar
unl0ckd 3mo ago

Thank you so much for all of the info! Truly appreciated.

Avatar
ManiMe 3mo ago

Self custody of private keys is still a young and fast evolving space within Nostr.

My biggest advice when shopping for an app is : keep it simple (it should only do key management and nothing else) and make sure that people you trust can trust or recommend it.