Oddbean

I'm skeptical about most of the Pros listed: > Multiple keypairs/identities are not needed - that's just implementation detail, like generating tokens in oauth etc > Access tokens are only useful for authorization and are generally short-lived, they don't leak any permanent information. - not sure which parts of nip46 leak anything, can you provide details? > Signer events are now "private" between clients and signers, and can't leak user activity such as note decryption when opening a new client. - this one is valid concern > No relay, no relay to trust - most nip46 providers will host their own relay for many reasons, and even if they use a third-party relay - they will only recommend one they trust, so if you trust a provider, you probably trust the relay > Http attack surface is well understood - need more details and maybe examples here > CORS could possibly be used as a security advantage for web clients - need details and ideas of where and how > Reduces signing server dev complexity - you won't implement oauth yourself, you'll use a library, but then you can just use a library to implement nip46 > Full OAuth2 and identity management infrastructure already exists - which of them could I start using tomorrow to use with Coracle or Snort on mobile? This might be true for corporate world, not much for individuals > Since clients connect directly, network/http requests can be audited easily - audited for what? all requests are signed, the only thing lacking with nip46 is peer's IP address, which is only useful for privacy violations of good users, since bad people hide their IP anyway > Reduces client complexity and deprecated encryption spec - you will use a library in both cases, so complexity is comparable. nip04 is bad, agreed.