Replying to Avatar unl0ckd

I love the decentralized nature of Nostr, but I have a nagging concern about my Nsec. If this secret is ever compromised, my entire identity across Nostr is compromised.

Is there a method to rotate breached nsec based on my npub? How would this work?

I would only possess an authenticate token, my npub, that anyone would know or could find out. I like how private Nostr is, but without having my nsec/npub associated with another identity like my email, it seems like I must protect my nsec at all costs.

I store my nsec in 1Password, so Iā€™m not overly concerned about disclosure of my nsec locally, but I worry that another strength of the Nostr ecosystem (as I understand it after using it for 48 hours) could prove to be a security weakness: all Nostr clients must protect my nsec equally. If one of them ever mis-handles this secret, my entire Nostr identity is compromised.

Am I understanding Nostr Authentication properly?

#asknostr
Avatar
Ryan 3mo ago šŸ’¬ 2

Use a signing app, then only one app will have access to your private key.

Android only. Supports most Android apps & bunker connections.

https://github.com/greenart7c3/amber

Cross platform, supports bunker connections.

https://github.com/ZharlieW/Aegis

https://github.com/haorendashu/nowser

Reply to this note

Please Login to reply.

Discussion

Avatar
unl0ckd 3mo ago šŸ’¬ 1

I will look into these, thanks for the pointer!

The problem now is trusting the signing app :(

Is there an official Nostr governing body that can set standards and guidelines here or is it early enough that the community is doing so from the ground up? It seems like the latter, but Iā€™m still a Nostr n00b.

Avatar
Ryan 3mo ago šŸ’¬ 1

Nostr has no governing body. Community driven development.

Of the 3 apps Amber is the most mature, and is made by nostr:npub1w4uswmv6lu9yel005l3qgheysmr7tk9uvwluddznju3nuxalevvs2d0jr5

If you are on Android this is likely the best choice overall.

Nowser is made by nostr:npub19yeqjawls407xjnmgkk6yss7936pcd7qzd5srlj8wye6j8433vrsjazqwk and includes a web browser, which is handy for Nostr web apps

Aegis is made by nostr:npub179e5zckwq9vqsenc8ha9qv7p9vxwq20cq526ac67prts8kc4khmqu50zj8

Avatar
unl0ckd 3mo ago

Thank you so much for all of the info! Truly appreciated.

Avatar
ManiMe 3mo ago

Self custody of private keys is still a young and fast evolving space within Nostr.

My biggest advice when shopping for an app is : keep it simple (it should only do key management and nothing else) and make sure that people you trust can trust or recommend it.