Identity verification, a trouble in Nostr paradise \ stacker news ~nostr

Identity verification, a trouble in Nostr paradise

1117 sats \ 11 comments \ @phygit 8 Mar 2023 nostr

No doubt, Nostr is promising and exciting.

But there is still an unsolved (or at least not properly solved) problem before Nostr becomes "the new Twitter," or the favoured network for hundreds of millions of people: human-readable handles.

NIP-05 is addressing this issue, by allowing users to "verify" a Nostr public key, which means mapping it to a human-readable handle (in fact a DNS-based identifier). But there are still some (important) issues.

In a nutshell, there are only 3 possibilities:

1. No verification

You use Nostr with a default public key, and will be identified on the network as something like:

npub1sg6plzptd64u62a878hep2kev88swjh3tw00gjsfl8f237lmu63q0uf63m

or (HEX):

82341f882b6eabcd2ba7f1ef90aad961cf074af15b9ef44a09f9d2a8fbfbe6a2

Advantages: Simple, nothing to do, universal (works on all clients) Problems: . Obviously not amazing for brand recognition . Terrible to fight fake accounts, scams, impersonating etc. . I seriously doubt that Nostr could onboard 500M+ users that way

2. Verification through a 3rd party

You use a dedicated service or app to get your handle (usually for a small fee) under their domain, and will be identified on the network as something like:

me@SomeCoolNostrName.com

Advantages: Easy. Problems: . Your handle becomes entirely dependant of the chosen service. What if they disappear in a year? What if they change their policy/price? You have no guarantee whatsoever of the perennity of your handle, which is a problem if you start building a community around it. . There is risk of concentration. If the majority of users get an handle at, say, damus.io, Damus becomes the new Twitter, not Nostr. . In short, this solution re-introduce centralisation into Nostr.

3. Verification on your own, custom domain

You own a domain name and you use NIP-05 to make your handle verified. You will be identified as something like:

me@mydomain.com

Advantage: You really control your handle, directly associated to your site/blog/brand

Problems: . Not so easy to do. The process involves converting your npub address, creating a JSON file (simple) and sometimes changing the configuration of your Web server (best guides explaining the procedure: here and here). Doable, but could be challenging for many users. . Since it's quite hard to register a domain name anonymously, you lose anonymity (not necessarily a problem since you're precisely trying to "verify" your identity). . You also expose yourself to possible censorship. If you do something reprehensible or illegal on Nostr, authorities can ask your hosting provider to shut down your site/domain, terminating your Nostr handle in the process.

. . .

It looks like Nostr suffers from its own trilemma. Either you choose to stick to a poor UX (non-human-readable handles) or you go for solutions that will affect some of the key benefits of Nostr (decentralized, anonymous, uncensorable).

view all related items

300 sats \ 2 replies \ @DarthCoin 8 Mar 2023

I consider "nostr verified" identity just a fancy feature. Not really necessary. I really don't give a shit if I am "verified" or not. Important is what you say on nostr not if you are verified.

1 sat \ 0 replies \ @nym 8 Mar 2023

agree 100%

0 sats \ 0 replies \ @Busybe3z 9 Mar 2023

But most people do. They want to know who they are receiving or giving money too…

120 sats \ 1 reply \ @LaserStack 8 Mar 2023

This is just Zooko's triangle, as with all other 'decentralized identity' systems. IMO the best solution would be a petname-based system.

There are four sources where you could meet nostr users:

Meeting them on some other social media or internet platform or something, in which case they could just tell their nostr pubkey and preferred petname, perhaps using an automated protocol
Knowing them IRL, in which case you can just ask them their key and (possibly) their petname
Being introduced by a mutual, who can tell you their pubkey and petname
Randomly meeting them on nostr, which means you already know their pubkey and can assign them any petname you want

0 sats \ 0 replies \ @l0k18 9 Mar 2023

I think it would be a good interface feature to have them show the first few and last few characters in the npub. Discord has numbers for users as well, that's a combination system. It's easy to see how there can be easy scope for bots now and spam and scam... Yes, keet.io lets you define one with the identity you exchange with others to structure the chat log. It doesn't expose you to the key at all though, which annoys me.

10 sats \ 0 replies \ @Jorj_X_McKie 8 Mar 2023

Has anybody discussed simply buying an identity on the bitcoin blockchain? Maybe even an ordinal or counterparty identity linked to a verifiable balance. Definitely would reduce scammers.

1 sat \ 0 replies \ @Darkbulb 9 Mar 2023

Not too worried about it. Famous people, or atleast people who are recognizable, will have theyre npub(or nip05) well known, possibly verfied by other means. You can post your npub in your twitter bio. You can put it on your personal website (find me on nostr, npub76566xxx etc)

Any imposters will fade away over time

0 sats \ 0 replies \ @_b_o_n_e_s_ 9 Mar 2023

Just so people know, if they didn’t , you can do the NIP-05 thing here with stacker news (and not have to pay sats to anyone)

0 sats \ 0 replies \ @l0k18 9 Mar 2023

Censorship of npubs can happen too. It's just usually going to be in the interface layer. If there was name registration on the chain this wouldn't be a problem too, but name registration and resolution systems are not an easy problem to solve.

I had the idea of them being mined with a difficulty adjustment and the name has to appear in the target in place of the zeroes in the bitcoin difficulty adjustment scheme recently. It could be slow enough that there is usually only a dozen or so new ones each block. Something I've got in my mind for future work somehow.

0 sats \ 0 replies \ @Semisol 9 Mar 2023

NIP-05 is not verification. It's just a handle.

Owning name@domain.com doesn't verify I am name and not an impersonator.

Only case where this may be verification is if it's on your own domain.

Also, NIP-05 providers being centralized does not introduce any major risks unlike content -- the only risk is that the provider rugs or they revoke your name/point it somewhere else. No loss of followers/content.

0 sats \ 0 replies \ @nym 8 Mar 2023

With great power comes great responsibility.