Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mostr.pub/objects/9800e0f5e4b62e73b7f30d1965b1586b1298bf56ac6aa5b49f0d8e9f4ec71da1">mikedilger (ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49@mostr.pub)'s status on Friday, 18-Aug-2023 12:27:24 JST</a><a href="https://mostr.pub/users/ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49" title="ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49@mostr.pub"><img src="https://gnusocial.jp/avatar/106896-48-20230320162052.webp" width="48" height="48" alt="mikedilger" style="position: absolute; left: 0; top: 0;">mikedilger</a></section><article>IMHO the fact that nostr identities use self-created and self-managed keypairs is not a flaw, nostr does not need a way to bind keys to names, nor does it need identity provider services.<br><br>If you want to bind a key to a name, use a petname. That idea was there from the start (afaik).  What is a name anyways other than a way for you to remember who that key represents?<br><br>The whole business of binding keys to other sorts of identifiers was always murky to me. Why are these other sorts of identifiers important? Who are they important to? Are the centralized? Do they promote centralization? Why should I trust some 3rd party with this binding?<br><br>Back at Sun Microsystems IT, I made a proposal I was (and still am) very proud of, but it wasn't accepted and probably wasn't really well understood either. The proposal was to send new recruits a javacard with a Sun PKI keypair pre-generated on the card, along with a serial port smartcard reader (this was pre USB).  They would fill out their job applications under a session authenticated by (or else digitally signed by) the keys on that card. Everything the company knew about the person happened through those keys.  In this way, the problem of authenticating people before giving them a keypair disappeared. The problem of binding some knowledge about them to a keypair was solved, because all that knowledge was acquired in the first place through that keypair.<br><br>I have no idea who fiatjaf really is. I don't know his real name. No third party bound some identifying information about him to his keypair and shared it with me in certificate form. And yet I have a good idea who he is and how much I trust him and in which regards. "By their fruits shall you know them" - Matthew 7:16<br><br>Nostr has other issues. How to roll over a keypair. How to export/import private keys without risking their exposure. IMHO these are much better issues to have than ... oh shit Thawte/StartCom/Comodo/DigiNotar/TurkTrust/NICCA/CNNIC/WoSign/LetsEncrypt/Symantec/StartCom/GoDaddy/Certinomis fucked up and aren't trustworthy.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1960937#notice-3849907">In conversation</a><time datetime="2023-08-18T12:27:24+09:00" title="Friday, 18-Aug-2023 12:27:24 JST">about a year ago</time> <span>from <span><a href="https://mostr.pub/objects/9800e0f5e4b62e73b7f30d1965b1586b1298bf56ac6aa5b49f0d8e9f4ec71da1" rel="external" title="Sent from mostr.pub via ActivityPub">mostr.pub</a></span></span><a href="https://mostr.pub/objects/9800e0f5e4b62e73b7f30d1965b1586b1298bf56ac6aa5b49f0d8e9f4ec71da1">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
mikedilger (ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49@mostr.pub)'s status on Friday, 18-Aug-2023 12:27:24 JST mikedilger
IMHO the fact that nostr identities use self-created and self-managed keypairs is not a flaw, nostr does not need a way to bind keys to names, nor does it need identity provider services.

If you want to bind a key to a name, use a petname. That idea was there from the start (afaik). What is a name anyways other than a way for you to remember who that key represents?

The whole business of binding keys to other sorts of identifiers was always murky to me. Why are these other sorts of identifiers important? Who are they important to? Are the centralized? Do they promote centralization? Why should I trust some 3rd party with this binding?

Back at Sun Microsystems IT, I made a proposal I was (and still am) very proud of, but it wasn't accepted and probably wasn't really well understood either. The proposal was to send new recruits a javacard with a Sun PKI keypair pre-generated on the card, along with a serial port smartcard reader (this was pre USB). They would fill out their job applications under a session authenticated by (or else digitally signed by) the keys on that card. Everything the company knew about the person happened through those keys. In this way, the problem of authenticating people before giving them a keypair disappeared. The problem of binding some knowledge about them to a keypair was solved, because all that knowledge was acquired in the first place through that keypair.

I have no idea who fiatjaf really is. I don't know his real name. No third party bound some identifying information about him to his keypair and shared it with me in certificate form. And yet I have a good idea who he is and how much I trust him and in which regards. "By their fruits shall you know them" - Matthew 7:16

Nostr has other issues. How to roll over a keypair. How to export/import private keys without risking their exposure. IMHO these are much better issues to have than ... oh shit Thawte/StartCom/Comodo/DigiNotar/TurkTrust/NICCA/CNNIC/WoSign/LetsEncrypt/Symantec/StartCom/GoDaddy/Certinomis fucked up and aren't trustworthy.
In conversationabout a year ago from mostr.pubpermalink

Public

Embed Notice

HTML Code

Corresponding Notice