Oddbean new post about | logout
Sean Tilley | 5 months ago (raw) | export | reply | flag +3 
 I'm just starting to research this more, but I've got a #Nostr question pertaining to private keys and security. 

As a best practice, it seems like we don't want people to use their NSec to log into a bunch of different clients. Instead, it seems a more favored practice these days is to delegate something to do your signing for you, like the Alby browser extension. 

The user experience is pretty good, and it seems like the current wisdom is to use the browser or a mobile client for this, instead of storing it on a server. My general inquiry is, how secure is this? Is this the best way to do things?

On the #Fediverse side of things, it's more common to see OAuth for client auth. Of course, that all relies on servers, and goes a bit against a peer-to-peer model.

I'm curious as to whether a hybrid approach is possible, or even makes sense: allowing users to tether themselves to some kind of identity provider that more or less does delegated key rotation and some kind of Auth dance for them?
JohnyDoor | 5 months ago (raw) | root | parent | reply | flag 
 There are in fact identity providers you're describing, these are called nsecbunkers. Check out highlighter.com or coracle.social or nostrudel.ninja login flow.

There's a spec for delegated event signing https://github.com/nostr-protocol/nips/blob/master/26.md , but it's ignored by almost all the clients because it sacrifices protocol simplicity.
Sean Tilley | 5 months ago (raw) | root | parent | reply | flag 
 Awesome, thanks for the pointers! Yeah, initially the thought of people just jamming their private keys into apps kind of really bugged me. Actually, reading up on NIP-26 is what motivated me to ask.
yoold | 5 months ago (raw) | root | parent | reply | flag 
 Same question I have when I saw that browser plugin being pushed. When I checked it, it didn't convince me to use it.

I'm thinking, and I haven't tried, to just use #KeePassXC, maybe there is a feature I haven't explored yet.
97ea3e7d | 5 months ago (raw) | root | parent | reply | flag +1 
 My thoughts are that nostr authentication is alien to what most people have been brought up on and the absence of some bridging technology will prevent wide nostr adoption in the short term.
Having said that, slower, more organic growth of the nostr ecosystem might be beneficial in the long term.