NIP-05 is not Verification
7238 sats \ 8 comments \ @AR0w 3 May 2023 nostr

What is NIP-05 really?
If you look at the spec, it's a way to map Nostr public keys to DNS-based internet identifiers, such as name@example.com.
If you look at Nostr Plebs:
It's a human readable identifier for your public key. It makes finding your profile on Nostr easier. It makes identifying your account easier.
If you look at basically any client, you see a checkmark, which you assume means verification.
If you ask someone, they probably will call it verification. . .

How did we get here?
Initially, there was only one client, which was (kind of) the reference implementation: Branle.
When it added support for NIP-05 identifiers, it used to replace the display name with the NIP-05 identifier, and it had to distinguish a NIP-05 from someone setting their display name to a NIP-05. So they added a checkmark...
Then there was astral.ninja and Damus: The former was a fork of Branle, and therefore inherited the checkmark. Damus didn't implement NIP-05 until a while later, and they added a checkmark because Astral and other clients were doing it.
And then came new clients, all copying what the previous ones did... (Snort originally did not have a checkmark, but that changed later.) . .

The first NIP-05 provider
Long story short, people were wondering what NIP-05 is and wanted it, and that's how Nostr Plebs came to be.
They initially called their service verification. Somewhere between January and February, they removed all mentions to verification except one (because people were searching for it), and publicly said that NIP-05 is not verification. But that didn't work.
Then, there were the new NIP-05 providers, some understood perfectly what a NIP-05 identifier is and applied the correct nomenclature. Others misnamed it as verification, adding confusion to users. This made the problem worse on top of the popular clients showing checkmarks.
(from this point in the article we'll refer to it as a Nostr address) . .

And so, the scams begin
Spammers and scammers started to abuse Nostr addresses to scam people:
  • Some providers has been used by fake crypto airdrop bots.
  • A few Nostr address providers have terminated multitude of impersonating and scam identifiers over the past weeks. .
This goes to show that Nostr addresses don't verify anything, they are just providers of human readable handles.
Nostr addresses can be proof of association Nostr addresses can be a proof of association. The easiest analogy to understand is email:
jack@cash.app -> You could assume this is the Jack that works at Cash App. .
jack@nostr-address-provider.example.com -> This could be any Jack. . .

What now?
We urge that clients stop showing a checkmark for all Nostr addresses, as they are not useful for verification.
We also urge that clients hide checkmarks for all domain names , without exception in the same way we do not show checkmarks for emails.
Lastly, NIP-05 is a nostr address and that is why we urge all clients to use the proper nomenclature. . . Source
write
preview
related posts
87 sats \ 0 replies \ @nullama 3 May 2023
I think people know what NIP-05 is, and I find it useful.
For example, you could bring your identity of AR0w@stacker.news to nostr if you want to. People will be able to know that the content they are reading in another platform is from you.
reply
0 sats \ 0 replies \ @raucao 4 May 2023
I don't think this is logically consistent. If an address can prove your association to a domain, then the client has to verify the proof. Thus, displaying Nostr addresses without informing the user if they're verified by the client or not seems like a bad idea.
If you want to remove the checkmark, then the address should probably not be displayed at all until verified.
reply
0 sats \ 0 replies \ @gbks 4 May 2023
Good point. I will have to update this on Nosta, just created an issue for it. They are really just "handles", maybe there's some icon that can be derived from that, ideally one that can be broadly adopted.
reply
0 sats \ 0 replies \ @031ef7d322 4 May 2023
It’s still a form of verification, as you show from your example. It verifies control of the server and DNS for the specified domain.
Maybe clients should display a “potential spoofing” warning if the username contains a domain that doesn’t match where the nip05 is hosted. That’s different than saying it verifies nothing.
reply
0 sats \ 0 replies \ @xz 3 May 2023
Fair point. To nostrplebs.com credit, they do seem to lay it out as is ...
'It's a human readable identifier for your public key. It makes finding your profile on Nostr easier. It makes identifying your account easier. A NIP-05 ID also provides you with a shiny verified checkmark!'
.. which is why I sent them a few sats. It's not that I thought I'm verifying who I am. After all, who am I but a pleb. I just wanted to make it human-readable. I figure if I was on bird app and there's a blue-check by @real_important_person handle, it doesn't mean that the tweet I'm reading, or the pm I'm sending will be wrote or read by said important person. Did someone hack into the account?
I guess, in the world of nyms, 'verification' is a process not a transaction. Someone who just generated an nsec, and searched a nym might find a few human-readable matches, if you have listened to that person or interacted with that person, it should be pretty easy to verify with a degree of certainty.
reply
0 sats \ 1 reply \ @dylan 3 May 2023
I agree. I initially didn't get why something so easy to implement was considered "verification". I even posted about it. But, admittedly, since there were verification services popping up I thought maybe I could make one as well and earn some sats. I really like your little history lesson about nip-05 here though. It helps bring context to how we got here. I'm going to take down my little verification service because of it.
reply
0 sats \ 0 replies \ @nullama 3 May 2023
It only makes sense when you know the user at the other platform, of course.
So for example, dylan@stacker.news would be a useful NIP-05 for people to know that it is the same user in nostr and SN.
Having a NIP-05 from a random site that you don't have any content makes no sense, other than just showing an association of your persona with that random site.
reply
0 sats \ 0 replies \ @franzap 3 May 2023
Totally agree
reply