I log into solid either with nostr NIP-98 or username/password or OIDC. You can do the same with SSH. Some VPS make you log in with password first time. There's no real "defeats the purpose" of SSH. Same with nostr, just use the right tool for the right job. It's going to take years to transitions users from what they are used to, in any case. https://image.nostr.build/11d185d5e99c342e60b49c93082b7929c9f81a8e871281a598c89aaf0507e681.jpg
I wish it were that simple. But I have to sign events with their key - ssh doesn't. So it's not just a "tell me who you are" problem, but a "how do I BE you" problem. The only way to accept a password is to custody the user's keys, which I do think defeats the purpose. ActivityPub and Bluesky have keys too (held by the server instead of the user), and this is the one thing about Nostr that makes it matter. That users control their own key.
Delegation? Subkeys? Oauth does delegated auth. GPG has subkeys. Subkeys seem like the most logical future-proofed solution. And it has the advantage that it can be built piece by piece, rather than, being locked in to a hack with high technical debt.
Subkeys or delegation would solve this problem more elegantly, but it would require all clients and relays to change. I'm currently using nip46. Soapbox is a modified Mastodon client, so I could make it work. But for unmodified Mastodon clients, i have to have the user run a separate program that signs the events alongside the client, so they don't have to expose their key to the server.
Good clients change, bad clients get left behind. There might be a graceful way to do it that doesnt require everyone to upgrade. For profile you can keep the same profile pic, maybe have a little dot on there to indicate subkey. It can be verified. Perhaps also something can go in NIP-05. Tricky thing is pulling in all the replies etc. Worst case is that someone follows your subkey too. Then the WoT stuff gets more complex. Also NIP-98 gets more complext. It could be done in stages. I do admit I'm probably over-simplifying things!
Simplest implementation: - Put subkeys in an array in your profile, key = "subkey" - If it is a single string, it is treated as array of length 1 - It is already signed by the user and pulled in by all clients - Clients can optionally respect it - Visual indicator on the UI, to show it's a subkey of parent - [Optionally?] parent can go in the subkey profile - Other things can be layered on in time, such as revocation, rotation, time stamping, and so on