Oddbean new post about | logout
 For Nostr.Band, @brugeman bases the entire Trust Ranking system (initial weighting) on “For now, trusted pubkeys are ones with nip05 from a good provider”. 

What are plans to move beyond NIP05 as a base of trust?

https://trust.nostr.band/
nostr:note1hudr7vszac69dxm3wswqgwtlaxskcuz29l50xuk3j9lty9yd34jspc7v66 
 Could we expand web of trust by having users verify other npubs?  Have a "yeah this guy's legit" button or something.

It's obviously gameable because of bots, but I think the fix is to start close to yourself in the social graph.  Assuming most of the npubs you follow are legit, how many of them appear to trust the npub in question?  Do they interact often?

The hardest part is helping new users to find trusted npubs to follow. 
 “The hardest part is helping new users to find trusted npubs to follow”

Social onboarding fixes this. Funding is lined up. Dev already started. 
nostr:note14nw5tul8q26p369yn0mvppwp08nf7h6xqcyewxakgqpcv0t25gvs4sur8q 
 You're talking about invite-based onboarding? 
 Yes. Essentially. With tools and incentives for mentorship. 
 > “Could we expand web of trust by having users verify other npubs?  Have a "yeah this guy's legit" button or something.”

This is the way… but can it scale?

We are working on a couple NIP proposals. One will allow users to “sign” the contents of each other’s (identifying) profile fields, verifying that they are not scam or bot accounts. In this way, “trust” is relative to the size and participation of your network. 

… with social onboarding, trust in this manner is instantly applied to new accounts, greatly accelerating adoption.

But still… curation is key.
https://i.nostrimg.com/c9d737e31af1fabc355459e7ade27a6b0ec90704e630a2b23a64f7301dc8f90d/file.jpeg 
 Coracle uses your follow and mute lists this way. The problems are 1. Private follows, which could become more popular in the future, and 2. Bootstrapping new users. That could be done in a lot of ways, for example with PoW, or an artificial trust rank where services verify the pubkey via captcha, payment, or something else. 
 I didn't know private follows are being considered.  What is the case for those? 
 I'm not sure if they're used anywhere, but private mutes exist. I could see people wanting more privacy forbtheir social graph, that's really some of the most delicate information we have. 
 Yes. The “default” follows list is the only follows list that should be “mandatory” public (by convention only) and even this could be curated.  
 There's a tension there, because the social graph is the most game-changing element of Nostr.  Nostr as the social layer of the whole Internet is a largely untapped potential, and private follows obviously limit some of that potential.

If all social graph data is private, then a large chunk of the Nostr value proposition disappears, IMO.  However, allowing users some discretion would be good. 
 Totally agreed, I'm not sure what the right solution is. Private groups highlight this tension because you might want to follow people you're in a group with, but then you're actually potentially leaking data about your association that would otherwise be private. Something to think about. 
 How is the “open” social graph nostr’s game changer? This has been part of social networks since the beginning. 

Granted, there is a tension between having open and private relationships… (and nostr does have potential to be the social “identity management” layer of the internet) but I don’t see this as threatening to Nostr’s value as a protocol for distributed identity management (on the social web).

Fact is: Social graphs have been a part of social media since it’s inception. While nostr’s open architecture has potential to revolutionize this, it is hardly itself nostr’s value prop. 

Also fact: people want privacy. Private groups are a thing. Without private relationships as well, people will just use private anon accounts. Thank god for nostr to support truly anon accounts. 

Nostr’s value to the internet is in respecting people’s privacy while preserving their data integrity and sovereignty across any app. Private follow lists fall right into this value prop, despite the obvious challenge of keeping social graphs meaningful and accessible.  
 I think the thing Nostr does is make the social graph an accessible, inherent part of the protocol itself.  It used to be the social graph was accessible only through propriety APIs, but since Nostr is an open protocol, that social graph is now available to any application using the protocol.

Of course, that is the exact reason why one would want privacy, but fortunately there are a number of possible ways of preserving privacy, not least of which is anonymity. 
 they would just be private events encrypted to the user themselves that contain follow lists

i don't see any reason why not to do them or how it really harms what people are happy to make public

the price of many commodities and equities on exchanges have "dark pools" too, people sometimes have reasons for this, but if they interact with their hidden follows they are gonna leak it anyway 
 “Bootstrapping new users” onto a peer-to-peer trust ranking system is easy… no algos needed … with tools to power “word of mouth” advertising nostr grows AND new users are instantly trusted. 

#winwin
https://nostrmeet.me 
 you could establish some kind of numbers based on engagement too, this would not necessarily be trust but a social graph association weighting 
 With an approach of 'each client publishes trust assignments then clients calculate trust ranks' private follows can be handled - your trust assignments would give non-zero values to privately followed users (if you so wish) and then others would use that info. Ofc if you want to keep your trust assignments 'private' that won't help.

Onboarding for new users is already a problem and requires some input from them - 'topics' etc, some seed from which we could work. Any seed will inevitably lead to some 'preferred' profiles, whose trust assignments can be used to calc trust ranks for this new user and show them something 'trustworthy'.

As for bootstrapping trust for new users - this has always happened naturally, through friend (someone invited you to join right?) or through genuine organic interactions (new user interacts with others and they reply and some trust is passed). But organic interactions take time, and also on Nostr it might simply be too costly to organically outpace bots that will try to gain trust the same way. That's the only place where I think PoW makes sense, also trust-bootstrapping services, or OpenTimestamp (onchain tx) with non-trivial fees spent (or a burn - but that's wasteful).  

Link to trust assignments note: nostr:note13vpt4uqmfljhy9ql8rur23dpepkd8dkryxcp9mlf2wqjgxwj6puqnj3n6j 
 > “But organic interactions take time, and also on Nostr it might simply be too costly to organically outpace bots that will try to gain trust the same way.”
@brugeman

I see “organic interactions” as not only “the best” way to overcome Nostr’s novel (not insignificant) onboarding hurdles, but also kind of a super power that the nostr community has over other “less exciting” socials. I actually see a real opportunity for nostr in this way. 

I’m developing a social onboarding client to serve exactly this need (instant trust scores and recommended clients and relays) powered by real human nostr advocates.
https://nostrmeet.me

Are you saying this might be a wasted effort… that humans may be powerless against the machines to manage trust in a social network? Or are you just saying “humans are complicated and machines are less so”? Thanks.  
 I'm not saying your work is a wasted effort, bcs right at the beginning of the paragraph that you're citing, I say 'naturally through friends' - that's exactly the best way to onboard someone and pass some trust you have to them. 

I watched your video, looks great and I fully support your effort. 

All I'm saying is that if someone has NO friends on nostr and joins nostr then they're indistinguishable from a bot. In fact, on Nostr they're much more likely to be a bot bcs it's an open network. And if they have to prove they're worthy of trust/attention by organic interaction then it will be hard bcs bots will be much more productive and persistent in attempts to gain trust by liking/commenting etc. For such people with no friends, doing PoW or paying fees seem like the only options to outpace bots.  
 > “if someone has NO friends on nostr and joins nostr then they're indistinguishable from a bot. In fact, on Nostr they're much more likely to be a bot bcs it's an open network.” @brugeman 

The challenge of rapidly on-ramping HUMAN users into a their own web-of-trust is an existential threat AND unique opportunity for Nostr. 

Because Nostr is out in the open, without the protective walls of centralized trust allocation, organic trust between humans is the ONE WAY that Nostr will avoid (the image of) being “overrun” by bots and bad actors.

They will come in large numbers. Our only hope is to establish tools for decentralized trust that keep humans out of their reach, without being isolated from each other. 

This has never been done before. All bets are on the table. But my bets are on leveraging IRL relationships to onboard “word of mouth” new users to trusted networks. 

This is why:
https://nostrmeet.me 
 But seriously. Also we need better tools for establishing web of trust. Thanks for your work on this with Spring. I have thoughts and would like to join the convo… 
 I'm happy to participate in public discussions of this, better tools are very welcome! 
 Onboarding through friends is great in many ways so any tools that help with that are worth exploring  
 follow lists literally are part of this

i think if you add in the number of reply/like events from a user to their follows it could work as a trust rating

having it in clients to hide your follows would reduce some of the effectiveness of this but at the same time the likes and replies do still exist in public on public events 
 You could base a client-side algorithm on that.  The algorithm could see the user's follow list, other users' public follows, and all public interactions.  There's plenty of data there that can be cross-referenced into a tailor-made recommendations or trending list, but all the code and data processing could happened securely in the client. 
 We're starting to play with client-side trust ranking nostr:note13vpt4uqmfljhy9ql8rur23dpepkd8dkryxcp9mlf2wqjgxwj6puqnj3n6j 
 where is spring, you didn't drop one link to it in that! 
 New year holidays took way too long 
 i don't mean the season, it's the name of some nostr client or something? 
 Ah https://spring.site/ 
 but that's not a client it's a client PWA runner, right? 
 It's a web browser with built-in nostr key management and some nostr client features.  
 ok, if this runs on linux i'm gonna try it out 
 ok, that's a no, but on mobile yes 
 Very interesting.