Conversation

Notices

1. Embed this notice
   mikedilger (ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49@mostr.pub)'s status on Friday, 18-Aug-2023 12:27:24 JST mikedilger
   IMHO the fact that nostr identities use self-created and self-managed keypairs is not a flaw, nostr does not need a way to bind keys to names, nor does it need identity provider services.
   
   If you want to bind a key to a name, use a petname. That idea was there from the start (afaik). What is a name anyways other than a way for you to remember who that key represents?
   
   The whole business of binding keys to other sorts of identifiers was always murky to me. Why are these other sorts of identifiers important? Who are they important to? Are the centralized? Do they promote centralization? Why should I trust some 3rd party with this binding?
   
   Back at Sun Microsystems IT, I made a proposal I was (and still am) very proud of, but it wasn't accepted and probably wasn't really well understood either. The proposal was to send new recruits a javacard with a Sun PKI keypair pre-generated on the card, along with a serial port smartcard reader (this was pre USB). They would fill out their job applications under a session authenticated by (or else digitally signed by) the keys on that card. Everything the company knew about the person happened through those keys. In this way, the problem of authenticating people before giving them a keypair disappeared. The problem of binding some knowledge about them to a keypair was solved, because all that knowledge was acquired in the first place through that keypair.
   
   I have no idea who fiatjaf really is. I don't know his real name. No third party bound some identifying information about him to his keypair and shared it with me in certificate form. And yet I have a good idea who he is and how much I trust him and in which regards. "By their fruits shall you know them" - Matthew 7:16
   
   Nostr has other issues. How to roll over a keypair. How to export/import private keys without risking their exposure. IMHO these are much better issues to have than ... oh shit Thawte/StartCom/Comodo/DigiNotar/TurkTrust/NICCA/CNNIC/WoSign/LetsEncrypt/Symantec/StartCom/GoDaddy/Certinomis fucked up and aren't trustworthy.
   • Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 18-Aug-2023 12:29:47 JST Alex Gleason

     in reply to
     @ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49 You can reverse lookup a pubkey by finding a kind 0, getting the NIP-05 and then doing a NIP-05 lookup to get the relay. Don't shoot me.
     
     @97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 18-Aug-2023 12:33:57 JST Alex Gleason

     in reply to

     • Alex Gleason
     @ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49 @97c70a44366a6535c145b333f973ea86dfdc2d7a99da618c40c64705ad98e322 The second best way is the kind 10002. But I wish the relay URL was on the kind 0. The kind 10002 seems like it requires activism to make people adopt. I needs to be a more ingrained part of the protocol.