Figured I’d share this since I saw it.

The nostr relay thing does seem a bit… off to me. Not sure what really makes nostr better than here… Unless what we really want is a twitter experiance. Which I, of course, do not.

  • Masterofballs@exploding-heads.com
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I don’t really understand that. Sounds like there needs to be some kinda central authority for that to work. I would have to read more about it. The guy who made nostr is really good with crypto stuff though. Someone said he was a core bitcoin developer.

    • logen@exploding-heads.comOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      As I recall back when I did gpg encrypted email.

      You can create a master key. You use this master key to sign other keys.

      Keep that master key super safe.

      The subkey is what you use in general practice.

      You upload your public keys to keyservers, which I believe is what happens with nostr nodes.

      Your master key can revoke the subkeys at any time. This revocation is sent to keyservers and the public key is marked as invalid so other people don’t trust it.

      You then make a new subkey signed by your master key to prove it is still you, but with a new key, and upload that public key.

      Now that’s the key people use to encrypt data for you, as opposed to the old revoked one.

      Now, I’m not sure exactly how it works either with the keyservers or nostr, but it seems like it should be doable. Have an air gaped master key that is only used to sign the keys you use day to day, and it’s that master key’s signature that is the verification of your identity.

      Bonus points to this system, I can have five different nostr apps each create their own key. I could later verify all those keys with my master key to prove each of these different keys belong to the same identity. With that verification, if implemented of course, the noster nodes could link all the pub keys signed by the same master key to help people follow an identity across different types of content.

      I know I’m somewhat confusing different points I was trying to make, but it should all be possible.

      • Masterofballs@exploding-heads.com
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Ok so the masterkey and the key server are the central authority. You can implement the same thing in nostr. For example, someone could just manage your key for you. And you interact through a normal username and password. I’m sure those kinda service will come about.

        • logen@exploding-heads.comOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Well, you do all this on the client side. It’s just that the nodes would manage your pubkeys. (Which the might already do?)

          If your key gets hijacked by someone, it’s nice to be able to push a revocation certificate, if nothing else.

            • logen@exploding-heads.comOP
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Like a nostr node, anyone can set one up and they can share information with each other.

              If you use Linux, you may notice that the keys are updated from time to time, that’s your system contacting keyservers to get a copy of the public keys to verify package integrety.

              But yea, they have a central authority, kinda, but really it’s just a place for people to store their public keys so people can use it to verify cryptographically signed content, or encrypt data meant only for the owner of the key pair that the public key is attached to.

              To me, it looks like nostr nodes do this, there’s just nothing implemented yet to recover a hijacked key. Tom (if anyone remembers him) could get a following of 10k people, happen to lose control of his private key, and then we are back to the same problem of a central authority banning someone… Possibly even worse because, well, identity theft without a way to proove it.

              At this point, at the very least, I’d like the owner of the private key (regular users) to be able to send a revocation certificate to a node which will flag this particular public key as compromised. Other nodes will see this and the flag will spread. Revocation certificats can only be made by someone with access to the private key. So we shouldn’t have any censorship issues here.

              tl;dr of everything I’m going on about here so far

              I’d like nostr to implement a way for users to print out revocation certs, just like how we can backup our private keys, so that users have the ability to report compromised accounts to the nodes.

              I’d also like there to be a system where we can recover from the above situation without having to start over and rebuild trust under a new identity. Such as having a backup key that can veryify a new key belongs to the person who’s claiming it.

              We already have a solution for all this, it’s just a mater of nostr nodes supporting it.

              • Masterofballs@exploding-heads.com
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Back up isn’t really a problem atleast. You can access everyone’s followers on nostr. Everything is public. Person to person messages are kept private with encryption. If you lose your PK though those all become public.

                • logen@exploding-heads.comOP
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  My problem lies with the identity theft and recovery.

                  It’s the public followers I lose.

                  If Masterofballs says, “Hey, I lost my old key, this is my new one, everyone follow me!” How do I know you are you? How do I know that the identy was even lost? How do I trust you are who you say you are? Especially if someone else has your old key and is impersonating you? Or, mehbe this new account is the impersonator.

                  It’s a real problem for someone trying to maintain some sort of identity, which, to greater or lessor extents, we all are.

                  If you just want to be anon, this system works well enough, but if you want to maintain your reputation… there are challanges we need to overcome.

                  Or, since I really don’t know much about nostr, mehbe they are already working on this problem.

                  Trustless systems need to be robust.

                  • Masterofballs@exploding-heads.com
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    1 year ago

                    I mean I know this isn’t a answer for everyone but I maintain like wolfballs.com . And I can post my information there. domain names are reasonably anonymous and so far has not been attacked by censorship. Other than that, keep your shit secure I guess. But yeah I can see the value in increasing that security.