Avatar
mfostr
df739a4c91de28ab6e30fd5f4ca9af3f78166fe54832a6b81a782cbfc0890c2f
Working on the http://futureinternet.io 🛜
Avatar
mfostr 1d ago

https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-13

Avatar
mfostr 1d ago

Immutable Democracy! 🗳️🔏

https://youtu.be/g0nnM5_Z90E

Avatar
mfostr 2d ago

https://blossom.primal.net/b28903af828b13bf054a8a533d7f0c3617a56346b711bd87cbbcd00d0c4b0c1a.mov

Avatar
mfostr 4d ago

C2PA https://C2PA.org uses CAWG https://cawg.io/ for identity, I am moving towards building prototypes that map context with JSON-LD to CAWG Context https://cawg.io/identity/1.1/ica/context/ for Nostr and bridging it to ProofMode https://ProofMode.org for interoperability.

https://proof-chain.pages.dev/

Replying to Avatar mfostr

Correct, postMessage is the way to keep the contexts separate. You can do the same with OPFS, it’s got some added features with a hidden context by default and is highly performant. You can also back up your signed nostr event notes in an SQLite DB and pin other SHA256 addressable notes via local cache.

https://primal.net/e/1cb0612ff42762b7639e64b641319229d4e7848a4228331f6f27f27fa6c248cd

client.com (page)

│ postMessage (cross‑origin, sandbox‑safe)

vault.com (iframe)

│ postMessage (same‑origin, internal)

vault Worker (isolated agent)

├── OPFS (Origin Private File System)

└── IndexedDB

Avatar
mfostr 2w ago

This is the way!

https://youtu.be/LaiN63o_BxA

Replying to Avatar bigmarh

The key detail you might be missing is that NostrPass executes in a Worker, not in the main page context. So in NOstrpass it goes client -> vault -> worker. The worker has it's own context and isn't callable from the extension.
Avatar
mfostr 2w ago

Correct, postMessage is the way to keep the contexts separate. You can do the same with OPFS, it’s got some added features with a hidden context by default and is highly performant. You can also back up your signed nostr event notes in an SQLite DB and pin other SHA256 addressable notes via local cache.

https://primal.net/e/1cb0612ff42762b7639e64b641319229d4e7848a4228331f6f27f27fa6c248cd

client.com (page)

│ postMessage (cross‑origin, sandbox‑safe)

vault.com (iframe)

│ postMessage (same‑origin, internal)

vault Worker (isolated agent)

├── OPFS (Origin Private File System)

└── IndexedDB

Replying to Avatar bigmarh

I like the Idea of OPFS for sure, context is what matters.
Avatar
mfostr 2w ago

🙌 Absolutely, I agree 1000% percent, context is everything!

Replying to Avatar gandlaf21

It's kinda insane that we've built the incentive structures of business in a way that are designed to fuck over the user/consumer.

How nice would it be if you could just trust a company to do the right things, and is not gonna extract and sell every last drop of data from you?

I might even consider running non-opensource software.

But in this precedent, no way.

you have to assume they are trying to fuck you.

A sad symptom of fiat money, or how did we end up here?
Avatar
mfostr 2w ago

Greed.

Replying to Avatar mfostr

I’m trying to wrap my head around the differences between using IndexedDB, OPFS, and SQLite in your scenario. I’ve been researching the idea of running an isolated iFrame on client.com for vault.com and passing data between the two origins via postMessage. In that setup, is there anything in NostrPass that prevents rogue extension