There's more, but this is the TLDR:
"Reputation is fundamentally different than money, you can move money to a fresh account if crypto keys get compromised, but you can't move reputation as it is granted to you by the choice of others to follow your account.
Thus, the idea that you can't reset your password, and that people should adapt to that is a fundamental design flaw, and a non starter."
And this is the solution he presents:
I would read the comments and his replies, though.
What do you stackers think?
I'm not opening a google drive document, but based on your TLDR, yes - key management on nostr has yet to be fully solved.
The best solution so far is nsecbunker (keys never leave the enclave).
Can you summarise the solution? Can't read the comments / replies as that requires a twatter account.
reply
It would be nice if nostr could do that like PGP
But PGP failed for over a decade precisely because this created a difficult user experience
And after that it got killed by a massive attack
Nostr at least has a chance of working, because it is simple
reply
I guess it's just a problem for influencers who want to build an audience. I couldn't care less if I lose my keys. And I'm not going to lose them. Still, my gut tells me it's a fixable problem, but how to do it is above my paygrade.
reply
PGP got killed ? By a massive attack?
Please elaborate ? PGP is used by things like Debian and RedHat millions of times a day .
"Trust-based social verification, revocation, signalling, and redistribution"
Correct me if I'm wrong but sounds a lot like how things work right now. I mean, for example, someone who nobody had heard of a year ago now 'ranks' highly through number of following accounts.
If that persons keys got comprimised, they'd just use a backup set of keys and announce to inner-circle that they have new keys. Followers unfollow old and follow new.
I guess this is trying to address imposters and spoof accounts? Like someone who has global or significant audience. I feel nostr is not really the place for this. It's not that it couldn't serve that demographic, just that audience need to understand that verification is always something that is an active process.
If audience can not take responsibility for that, they also must realize that when tagging an account of said significant person, the response they get from said account might not be person they assume it is (i.e secretary/ P.R, etc.)
You could be duped into watching a deepfake from a verified account, or a body double in meatspace. Surely this responsibility to verify sources and the system to verify will scale given time?
reply
I'm with you, TBH. That's what makes Nostr fun, it's like the wild wild west. I guess Juan Galt would contest the "I feel nostr is not really the place for this" part. He wants to build an audience, now that he's kind of famous from that crazy documentary.
reply
Yeah. Something fresh about non-verified/non-checked nyms.
reply
Skill issue on his side
reply
Great argument, TBH.
reply
🤣🤣🤣
reply
yet another bad take
reply
I think nips 26 and 46 address this issue, and nsecbunker is an existing solution based on that spec.
reply
I haven't read those nips, but I will.
reply
This is shortsighted.
We need to build on it how it is first ... because we don't actually know what needs to be built yet ... because this stuff has never worked well before ... because otherwise we'll all be armchair programmers theorizing requirements that don't actually exist and building things that don't actually have demand and don't actually work.
reply
That makes sense. We're in the early innings. I guess Juan will reconsider once the project advances and gains traction.
reply
That's sad because Nostr do more than social network. For example, distributed market (service, good, AI).
The great thing is you can cherry pick some features/NIP (or build you own) on Nostr for your app and hopefully you don't need to necessary deal twitter like stuff.
reply
Great point man. Nostr is more than meets the eye, not participating is a definite risk.
reply
I'm very much still learning Nostr and how it works. My web3 background has been with Hive (the fork from Steemit after Justin Sun tried a takeover). My knowledge there has helped me understand Nostr, but also conflicts with the Nostr way at times.
Differences:
Nostr uses a pub/priv key pair where your public key is effectively your username. The "nym" that shows is nothing but a nametag, the public key is really you...your identifier.
On Hive, you have a human-readable username, mine there is "crrdlx"...that is your account, your identifier. Then, there are actually four private keys used. The reasoning is to ensure there are different levels of security.
"posting" key for posting stuff (like this) "active" key for moving funds "owner" key for managing everything "memo" key for sending encrypted private messages
The logic is that you only use lowest needed key, that way if it ever gets compromised, the hacker can't do the the other things.
Clearly, Nostr doesn't do this type of splitting of keys.
As far as reputation, Hive actually has a "reputation" score that is shown by your username. Your reputation is based on upvotes/downvotes of others (their reputation score influences yours along with their vote). It's not perfect but, it offers a glance-assessment of every user.
As far as a restart to reputation, if my "crrdlx" account was hacked and taken over by someone, I could simply start another account, call it "real-crrdlx". Then, I would need to announce what happened and I'm starting over with a new username. Of course, I'd have to somehow prove I am actually "real-crrdlx." My followers would not automatically be moved over and I'd have to regrow reputation.
As I understand, this is effectively the same that would be needed on Nostr.
I really don't know a solution, this may be a web3 snafu that we must currently live with. Maybe something will be figured out in the future. The bottom line...
...protect your private keys and you'll be fine.
reply
Bitcoin only, new friend.
reply
Okay, understood.
reply