Oddbean

▲ ▼

 I've got another monster blog post on signers coming soon

▲ ▼

 Stoked to read

▲ ▼

 LFG!!!

▲ ▼

 Seed Signer specifically? ..or a variety of hardware wallets?

▲ ▼

 Mostly NIP 46 remote signers for nostr

▲ ▼

 Have you played with knox? It's still new, but I invented an encrypted .bunker portable file format: https://gitlab.com/soapbox-pub/knox

▲ ▼

 I hadn't, I like the bunker file idea

▲ ▼

 I see several minor issues:
- why encode nsecs as bech32 and not hex?
- bunker npubs should be limited as much as possible (1 key = 1 npub or 1 key per bunker) as it adds additional filtering costs to relays, and therefore be independent from users
- secrets only need to be kept for pairing and should most likely be separate from users
and some other issues

▲ ▼

 I guess the best way to redesign would be to have a set of keys (with their bunker nsecs), a set of users, secrets for pairing, and already authorized connections (possibly with descriptive names)

▲ ▼

 - bech32 is used for unambiguity, and an open door to putting ncryptsec in there.
- each new authorization (eg `bunker uri` call) creates a new keypair for security reasons. However you can reuse the same bunker URI "n" number of times by passing an `-n 3` flag for "3 usages", for example. I decided this is actually the behavior I want. So I can say "hey social media manager, can you manage this account?" and then send one URI for all their devices instead of a separate URI for each of their devices.
- in this design, the secret is a uuid, and although it's only used "n" times (1 by default), it's still stored as an ID of the connection, so `knox revoke <secret>` can revoke it.

▲ ▼

 check: nostr:naddr1qvzqqqr4gupzqprpljlvcnpnw3pejvkkhrc3y6wvmd7vjuad0fg2ud3dky66gaxaqqykkmn00qkkyet5vyhjuvda