I'm just starting to research this more, but I've got a #Nostr question pertaining to private keys and security.
As a best practice, it seems like we don't want people to use their NSec to log into a bunch of different clients. Instead, it seems a more favored practice these days is to delegate something to do your signing for you, like the Alby browser extension.
The user experience is pretty good, and it seems like the current wisdom is to use the browser or a mobile client for this, instead of storing it on a server. My general inquiry is, how secure is this? Is this the best way to do things?
On the #Fediverse side of things, it's more common to see OAuth for client auth. Of course, that all relies on servers, and goes a bit against a peer-to-peer model.
I'm curious as to whether a hybrid approach is possible, or even makes sense: allowing users to tether themselves to some kind of identity provider that more or less does delegated key rotation and some kind of Auth dance for them?
Sean Tilley
npub1ld…fn99t
2024-06-02 12:26:30
Author Public Key
npub1ldzlnqkjf3ka4tkszt3gcfg5hfeq0gyv6uud2t385hhksfmx0yqq8fn99tPublished at
2024-06-02 12:26:30Event JSON
{
"id": "fc5e1deee11924efc45ac01fbecd102d1ffd5c1e44ae26e6b201deb1212b73ff",
"pubkey": "fb45f982d24c6ddaaed012e28c2514ba7207a08cd738d52e27a5ef6827667900",
"created_at": 1717323990,
"kind": 1,
"tags": [
[
"t",
"Nostr"
],
[
"t",
"nostr"
],
[
"t",
"Fediverse"
],
[
"t",
"fediverse"
]
],
"content": "I'm just starting to research this more, but I've got a #Nostr question pertaining to private keys and security. \n\nAs a best practice, it seems like we don't want people to use their NSec to log into a bunch of different clients. Instead, it seems a more favored practice these days is to delegate something to do your signing for you, like the Alby browser extension. \n\nThe user experience is pretty good, and it seems like the current wisdom is to use the browser or a mobile client for this, instead of storing it on a server. My general inquiry is, how secure is this? Is this the best way to do things?\n\nOn the #Fediverse side of things, it's more common to see OAuth for client auth. Of course, that all relies on servers, and goes a bit against a peer-to-peer model.\n\nI'm curious as to whether a hybrid approach is possible, or even makes sense: allowing users to tether themselves to some kind of identity provider that more or less does delegated key rotation and some kind of Auth dance for them?\n",
"sig": "26df99a82ac8a476e8a94d688afdaeea4e7239db02fa4fbb5f5d64364079dc6873887956c1a1e2672eb295356e9154350e26aad256217652c273fbb0220f1c0b"
}