I guess I should specify that I’m open to a different approach wherein using Nostr keys and some other key (gpg) a user can mutually sign.
That is, the user uses Nostr to sign a message declaring ownership of the gpg key, and the gpg key to declare ownership of the Nostr identity. Only someone with both keys could do this.
Curious if anyone has written up a specification for this approach, which would allow Nostr follows to bridge into web-of-trust for, say, binary attestation with gpg.
So for example. I recently got Qubes OS. Downloaded the iso through BitTorrent, then validated against their signing key, which I had to download and install separately.
Could this process be made simpler by having a Qubes OS nostr identity which co-signed the gpg key proof? Then as long as I follow someone who transitory follows Qubes OS on Nostr, a UI could show me the trust graph and I could approve it (or something).
jimbocoin / jimbocoin 🃏
npub1v9…x9q3h
2024-08-28 16:50:57
in reply to nevent1q…yz5c
Author Public Key
npub1v9qy0ry6uyh36z65pe790qrxfye84ydsgzc877armmwr2l9tpkjsdx9q3hPublished at
2024-08-28 16:50:57Event JSON
{
"id": "4a0abc8b7c066cb02038225cef30f580795c020dbafc45a6489cdd1579844ef0",
"pubkey": "6140478c9ae12f1d0b540e7c57806649327a91b040b07f7ba3dedc357cab0da5",
"created_at": 1724856657,
"kind": 1,
"tags": [
[
"e",
"b84f3f6c9fd23faa7503d067a3ba650e0c8cfe183d38c74cd19c0857b988612d",
"wss://purplepag.es/",
"root"
],
[
"e",
"9937b9374018554b7f3b2622846928bfdf73e7cb492a7112c455cd92c94d89f0",
"",
"reply"
],
[
"p",
"036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58"
],
[
"p",
"4c800257a588a82849d049817c2bdaad984b25a45ad9f6dad66e47d3b47e3b2f"
],
[
"p",
"52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd"
]
],
"content": "I guess I should specify that I’m open to a different approach wherein using Nostr keys and some other key (gpg) a user can mutually sign.\n\nThat is, the user uses Nostr to sign a message declaring ownership of the gpg key, and the gpg key to declare ownership of the Nostr identity. Only someone with both keys could do this.\n\nCurious if anyone has written up a specification for this approach, which would allow Nostr follows to bridge into web-of-trust for, say, binary attestation with gpg.\n\nSo for example. I recently got Qubes OS. Downloaded the iso through BitTorrent, then validated against their signing key, which I had to download and install separately.\n\nCould this process be made simpler by having a Qubes OS nostr identity which co-signed the gpg key proof? Then as long as I follow someone who transitory follows Qubes OS on Nostr, a UI could show me the trust graph and I could approve it (or something).",
"sig": "ecaa8c5bbe64beecfb4aa1587d759cf2d2b3ba6a25e6cf748e92fdfdf8904b5b69f8cea54f47a0d158d5b01d338055e1a72cac1fd3fd99aa213204b663a93db2"
}