Maybe I'm too much on the extreme ends here, but since we have no proper cryptographic mechanism for keypairs, if an nsec is ever stolen, you permanently lose your identity and every account that used it for authentication. Because of this, I don't think we should be building any tools that can pose risk to key theft SOLEY for the sake of convenience or on-boarding.
Great the UX is easy, and tons of people sign up, go transferring their keys all over the place and many of them will get their identities stolen.
Yes I understand the argument: well it's probably better than users copy-pasting nsecs everywhere, yeah it probably could be. Still think that's a different argument though. Nostr is different than traditional app UX, I think we need to stop pretending we can make it work how people are "used to it" and educate.
I'm not sure where we need to take these actions, but I will still advocate for less key attack surface area. My signing app doesn't even have the code to extract private keys and likely never will.
ChipTuner
npub1qdj…fqm7
2024-05-31 17:30:02
in reply to nevent1q…pnc3
Author Public Key
npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7Published at
2024-05-31 17:30:02Event JSON
{
"id": "8ec0e35a909202002c12f8d76d435506f4fadd800fa156f4902f21ac09407ac7",
"pubkey": "036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58",
"created_at": 1717169402,
"kind": 1,
"tags": [
[
"e",
"52fb2f1726f89c36d6d22f4018c53d7dc555769343e9d44bc279e62bf346da82",
"wss://nos.lol",
"root"
],
[
"e",
"a1227a48b5c474ff5463dc69bec4dcb478a15c0b69db69b00541bc3e91e3ea3c",
"wss://nos.lol",
"reply"
],
[
"p",
"df67f9a7e41125745cbe7acfbdcd03691780c643df7bad70f5d2108f2d4fc200",
"",
"mention"
],
[
"p",
"266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5",
"",
"mention"
],
[
"p",
"a9434ee165ed01b286becfc2771ef1705d3537d051b387288898cc00d5c885be"
]
],
"content": "Maybe I'm too much on the extreme ends here, but since we have no proper cryptographic mechanism for keypairs, if an nsec is ever stolen, you permanently lose your identity and every account that used it for authentication. Because of this, I don't think we should be building any tools that can pose risk to key theft SOLEY for the sake of convenience or on-boarding. \n\nGreat the UX is easy, and tons of people sign up, go transferring their keys all over the place and many of them will get their identities stolen. \n\nYes I understand the argument: well it's probably better than users copy-pasting nsecs everywhere, yeah it probably could be. Still think that's a different argument though. Nostr is different than traditional app UX, I think we need to stop pretending we can make it work how people are \"used to it\" and educate. \n\nI'm not sure where we need to take these actions, but I will still advocate for less key attack surface area. My signing app doesn't even have the code to extract private keys and likely never will. ",
"sig": "cf09c5e9750c237828a5de8f0e4989a4d5833c83be6873c46d932a11e29497b4d2a5fcc4fe6b61afa349597742589c3f2d2854d4267b6da5c8f5a0584b01eb34"
}