so like, you know a relay can profile you super easily just with client fingerprinting right? being annoyed with auth, i hope its for good reason and that youre aware that clients already send telltail signs of what pubkey you are just from making reqs every time they open.
if you already know this and have your own client or etc, or do not feel this fingerprinting is as annoying as auth .. you can use a shared auth key with multiple people, and have the same level of obfuscation for your reqs that you would without auth.
the benefits of auth are many on the operation side (dynamic req limiting) and client side (DMs etc). so i think its very important to head this direction.. whether its pubkeys, zaps, ecash, or zkps i dont know? nostr does not have the equivalent of a robots.txt
there is also the possibility of requiring auth but being a free relay, but having a scaling rate limit that allows more traffic the longer you use the same one, this permits rate limiting and the client can make up a session key for this and not persist it
you can only impute this via request fingerprinting and IP addresses otherwise, so it would allow free tier service to be more generous without being an open back door for spam
I'm aware that right now most clients make finger printing pretty easy right now (see nostr:nevent1qvzqqqqx2cpzpgqgmmc409hm4xsdd74sf68a2uyf9pwel4g9mfdg8l5244t6x4jdqy88wumn8ghj7mn0wvhxcmmv9uq3wamnwvaz7tmjv4kxz7fwdehhxarj9e3xzmny9uqzp3qu0jnya9ds0dnw5wa0q8y7p9g9t9eq38n3dpztnhlmu6ye2ejxy6acyk), but normalising auth-to-read removes all doubt and possibility for clients to resist this later.
I've thought more about zkps and either the relay must reveal their whitelist or the user sends a list that could easily fingerprint them.
I don't have any easy answers for an alternative. attaching ecash to request messages could be interesting.
Oddbean new post about login | logout