Oddbean new post about login | logout Nostr has been promoted to the status of "absolute joke": https://cdn.satellite.earth/943d5b5c4ab21939a5a1f3094cf92e24a3ac80507d50c71766a0d41d08185b62.jpg https://x.com/jamesob/status/1839626122671116528
Jokes on this clown. I love dad joke's.
#nostr Don’t feel left out 😱
First they ignore you, then they laugh at you
on absolute joke X? LOL
Bitcoin works just fine without sub-keys and/or key rotation. Joke's on you X Joker. nostr:nevent1qvzqqqqqqypzqwlsccluhy6xxsr6l9a9uhhxf75g85g8a709tprjcn4e42h053vaqqsqqqycxet6zdj04dp4lxw95rr7wehlsz5scvv4axzearmksyqtmtsmdlxw3
Joker pays for his blue-tick to have his speech filtered 😆
Absolute joke. This protocol one can not use. And how could one trust it when there is not even a phone number and fax when I need technical support?
You're using the protocol now aren't you ... Good joke with the fax. Technical support is a palliative for broken engineering.
Wh there is no seriousnes in my comment. Sorry when it was not obvious 🙃😉
I'd be happy to have these, but it works just fine without.
X word salad 🤣 He should try penis butter 🍆 🧈 Only then will he understand 🤙
OK guys we just have to solve one of the hardest unsolved problems in cryptography so this guy can join nostr grace us with his bad takes 💪 let's get to work
THIS IS ONLY A VALID TAKE IF YOU BOYCOTT X FOR THE SAME REASON.
Once x.com becomes a custodial nsecbunker provider I think everybody who thinks Nostr is cryptographically unsound will be able to switch, knowing that their sacred keys will be finally safe.
Npcs need safety
I think at least the same account holder should be allowed to get another nsec generated if an email or phone number were registered for account recovery.
To be fair, it's not unreasonable to have this primal desire for subkeys and key rotation. The problem is that: 1) it's not possible to do without centralization (or a blockchain) -- Bluesky tried, and the best solution they came up with was a big server that hosts a history of keys for everybody and can censor anyone; 2) doing it by means of Nostr events that declare subkeys or delegation or whatnot, creates insurmountable complexity that turns Nostr into an unusable pile of bloatware and away its most basic feature: the chance of working; 3) it's not the only way to protect your key from rogue computers and apps -- NIP-46 and other methods exist and are much nicer to use, with still many unexplored possibilities; 4) it's not clear that more than 16 people in the entire world want this at all -- when was the last time a normal person thought about rotating their PGP keys?
I guess FROST, such like NIP-95, is likely to be 3). if one of NSECs composing of a NPUB can be replaced.
Still don't get how that works or what's even possible with that. Can you, for example, have a quorum of keys that control one nsec and switch them out for an entirely different set of keys?
It's like creating a public key with multiple private keys, like multisig creates an single address by multiple pubkey, or Shamir creates a single seckey from multiple shares. I am still studying this, but since it depends on schnorr signature, I think it will be difficult with the current nostr key (though proto NIP-95 exists already). it will have to start from a new key, won't it?
can't you do something like musig with schnorr quite easily?
100% I would much rather have a safe way to remotely sign then have key rotations.
> doing it by means of Nostr events that declare subkeys or delegation or whatnot, creates insurmountable complexity that turns Nostr into an unusable pile of bloatware and away its most basic feature: the chance of working; Really? Yet another event kind is the universal answer to every problem in nostr, or so I've heard.
We do have a blockchain we can use and a way to do it in a self-sovereign manner. I think key rotation completes the spectrum from ephemeral to permanent identities. The edges will always have less traffic, but they matter. https://github.com/pubkeychain/pkc-protocol
> 2) doing it by means of Nostr events that declare subkeys or delegation or whatnot, creates insurmountable complexity that turns Nostr into an unusable pile of bloatware This is already happening with different NIPs trying to do everything on nostr. Example: Name System
4) The better question is how much more often would people rotate their PGP keys if the email ecosystem was designed with robust support for decentralization and user security instead of being designed to help corporations collect data
I have a good idea on how to accomplish key rotation but it's difficult to implement to the entire protocol.
The only people you have to declare your newly rotated key to is: Your followers ∩ The ones you want to keep. User applications would have the option of caching keys used for historic notes. The local cache might get a bit chunky if users rotate a key for each note, but keys could be locally jettasoned using a stack-height setting for each chain of keys [user]. One of the reasons I don't like Nostr is that there is no reliable way to expunge notes from relays. Without the ability to do this, there doesn't seem to be a way to meet conditions for acceptable levels of privacy.
One method that occurred to me as an alternative (or even a bolt-on) to ordered HD key rotation would be for each new user to generate a (say 128Kb) pad of key pairs instead of a single key pair. Each key pair would be random-entropic. A user's first note is signed/encrypted using the first key on the pad, but with the note including metadata denoting the next key (from the pad) to be used... or a clue to the next key. The key could be switched every note, every 21 notes etc. Only those who have been sent the full pad of public keys are then able to stitch-together the full note history. It doesn't feel too computationally expensive to me. Obviously lots of flaws with this, but perhaps a basis for something...?!?
It's true. I will never seriously use this unless I can invalidate a leaked key. This thing is hot, you throw your nsec into clients like some dudes their dick into chicks. Some protection is needed. Until then (an probably later because wtf is social media anyway) this is just fun
Good point and lol on the analogy. I suppose the question is do we want the loose birds as part of the flock? This is always the problem with mass adoption, you have to govern people into a safe space, which eventually leads to tyranny.
That is the problem with sovereign technology. If you don't have the mental capacity to be sovereign, should you be able to use this technology? If the answer is yes it may stay away from mainstream forever, if no it needs a lot more work. I don't have the time or patience to validate each download or bulid the client myself after reviewing the code. It is only a matter of time in which a client appears that collects nsec. A password can be changed, a twitter/x account can be deactivated or post written by imposters that got hold of the credentials removed. You don't have a daddy or mommy here, that is somewhat a good thing, but you also have no way to get your stuff back if you are just mindless once.
This is why reasoning and logic are critical skills to teach children under an uncompromising moral framework of first principals. You need to be able to assess risk or where you don’t, have the ability know how to research the authority that can give you the knowledge to make a decision. We’ve become a people under protective authority and safeguards and those authorities are being co-opted into control and tyranny. No one is to blame other than people and parents who chose these structures for protection instead of ensuring self sovereign protection and societal charity. This is why I find Jesus’s words to the power structures of His day is so true in todays world: Matthew 22:37 Jesus replied: 1) “’Love the Lord your God with all your heart and with all your soul and with all your mind.’ 1st commandment equalling moral perfection as God is the moral law via the 10 Commandments. 2) “Love your neighbor as yourself.’ The second commandment. Charity and moral guidance towards people around you. These two are the fulfilment of all the laws. People do not do this and outsource this to the kings and governments which eventually oppresses them. Samual 8: “ When that day comes, you will cry out for relief from the king you have chosen, and God will not answer in that day” Continue to teach people towards self sovereignty and freedom under Gods moral law. Bitcoin and Nostr are but tools, they will not save people if people do not have the right mental framework. God bless,
It is a joke
Good bitcoiner, bad take
I’m really enjoying Nostr 🤷♂️
Congratulations everyone! 💪
Does he rotate his Bitcoin keys pretty often too then?
Well, nsec is indeed something many people expose to many online systems. nsec bunker is probably not widely used. At least not more than 2% of users use it.
Handling the safety of a nsec is too much to ask for a NPC.
I think the core of this can be to establish a relation between profiles using the kind 0. We have a field to explicitly tell everyone that a pubkey is/belongs to a bot. We can do the same for master and subkey relations. Doesn't seems to add much complexity
Well ... if I want all your posts I now first have to query for all your subkeys. When you follow 1.5k people it's already an issue that you have to slap that list of pubkeys on many of your queries, uploading MBs of queries every other second.
Yes, that would be a mess, but the master public key can simply announce its currently in use subkey by establishing this relationship in its kind 0. This effectively creates a signed 'certificate' that links a master key pair with its subkeys. Additionally, subkeys must also specify this relationship in their kind 0, providing two-way verification since both the master key and subkey certify their connection. In this way, the master key pair becomes the source of truth for where to find the current activity of the user/entity. There maybe more details and edge cases to cover, but for a note it's enough, happy to keep discussing 👌
The relationship attestation isn't my concern. My concern is that now clients need to keep track not of one key but of many. You could use a different sub key for each client you use, so your profile might refer to more than one key at a time cause you use 3 clients. Additionally you might rotate keys even without knowing them to be compromised, so for older posts you would need to track additional keys. Currently, relays already reject queries for long follows lists. Multiply those lists by 10 and you might see the issue.
What about the UX for managing all these keys? Every time you try a new app you must create a new key using your master key, so where does that master key live? In an offline hardware device?, then it will be incredibly hard and only 5 people in the world will do it, everybody else will just paste nsecs and the protocol will be bloated for no reason. Or in an online device or server that keeps running 24/7 and answering requests for creating new keys somehow? Now we have just recreated NIP-46 but 100 times worse.
> In an offline hardware device?, then it will be incredibly hard and only 5 people in the world will do it, everybody else will just paste nsecs and the protocol will be bloated for no reason. Reading and writing or typing on a keyboard were once specialist skills too. The world adapted somehow. FIDO2 keys are quite common. Don't pull a Luddite here.
The ux would remain largely the same as it is today, since the master keypair wouldn't require frequent interaction, making it suitable for cold storage use cases. The only additional steps would be to attest the relationship between the keys initially, and in the event of a catastrophe or key rotation, where the master keypair would voluntarly inherit the reputation and value of the rotated account and attest to the new one. nostr:nevent1qvzqqqqqqypzqs9eep0ll6hurjkl3sc2fewgses07mjfwxsdcu3at2m8fd0xrdz3qyv8wumn8ghj76mgv968yafwdehhxarjv4jjumt99uq3wamnwvaz7tmjv4kxz7fwdehhxarj9e3xzmny9uqzpngc7pjx2fl38hs3t3vdvzar3emc00mxgn73ydt0kq9l4g7d0r09xyvj4m
I completely understand your point, but it's not what I was trying to convey. I'm thinking about how we can create a more robust security model for accounts, ensuring that users can maintain their reputation, wot, and at the end the value of their account. My idea is not to have one subkey per device, but rather to have a master keypair and an active subkey (which can be improved upon in the future to accommodate more use cases, but for now, let's focus on one master key and one subkey). The master key becomes the source of truth and designates a subkey as the current one in use. In the event that the subkey is compromised, the master key can inherit the reputation and data generated by the subkey, serving as a kind of backup and support. The user can then migrate to a new subkey and update the master's metadata to attest to the new subkey in use. This approach maintains reputation and aggregates it in a single, well-known source, while also solving the poor user experience of rotating public keys. Currently, the most frequent way i've seen people dealing with this case, is publishing a kind1 message telling everyone, which is often only published once, making it likely that a significant portion of contacts will miss the update. This new approach would improve upon that, but its just an idea tbh.
The idea is the same in that you end up with multiple pubkeys or you re-broadcast with the new key all your past events. But, key compromise always happens at some point and that is a good argument to isolating these points so in a nostr where everybody has multiple pubkeys, people would like to use different subkeys for different points or apps or machines. But as fiatjaf pointed out, this problem is sort of solved with nsec bunker as here, the master key controls how the key can be used and you can give sort of sub keys to different systems without third parties needing to care or know about these sub keys.
Yea, but then you make everyone rely on 3rd parties bunkers, or push them to run a server 24/7. Also in that way subkeys will pollute relays since they are just made to trigger the bunker and get a signature from the master pubkey
Those pubkeys are very low bandwidth. The (personal) bunker listens for one pubkey per client you use. I want a bunker in my phone. That's always on.
If the joke is absolute, does that make it a better joke?
Both #nostr and X are great for different reasons. Not using one or the other is just virtue signalling.
So is this something incongruent with the nostr protocol or has it just not been implemented yet?
It's not been implemented yet and now is just the second priority nobody wants to think about. Well, some are working on it and there is proposed nips but there is no widely available standard yet. There is also the take that nostr is meant to be simple and key rotation is not as simple as all the rest.
Actually, what should someone do if he suspects his key may have been compromised? #AskingForAFriend
What people did in the past was to change their name to "old account of [username] (new account in profile)". Of course, if your key really is compromised, whoever has it could change the profile to point to a different account so these pointers are hints but no definite proof that a user moved on to exactly that key.
The only way to different you from a fraudster is to have a nip-05 that only you control IMO. Is not bullet proof but is a pretty good anchor point. Take the verification from your old account to the new one and that will “do”. Ofc that means you’ll have to own your stuff, cause anybody can pay for a “@ zap.stream” or “ nostr check” and get the verification but only the real Zoltan can have “ @ Zoltan.xyz” unless that one is compromised too. In that case you’re kinda fuck 🤣
First they laugh at you…
Ah yes, the one thing keeping normies away is... a more complex keypair system...
Bad news is good news
who the fuck does this little bitch think he is ? the only person who will decide whether NOSTR is a joke or not is me.
To his credit, James is a top notch Bitcoin developer. However I think a lot of those folks are stuck in the Bitcoin developer mindset, meaning security must be perfect 100% of the time or you’ve failed. That level security is not needed in Nostr since your net worth isn’t at risk.
Bitcoin is a joke.
Would those things be nice? Yes of course. But you can’t just lift and shift a Bitcoin developer mindset into Nostr. People’s entire net worth isn’t invested in Nostr tokens, it’s just not the same level of risk or threat model. There is room to be more reckless, iterative, and willing to experiment.
Boombayah ! https://m.primal.net/LHEG.jpg
This is always the problem with mass adoption, you have to govern people into a safe space, which eventually leads to tyranny. Same with Bitcoin, people are giving their BTC wealth to institutions and banks. Power will co-opt those institutions into their will. It is just a matter of time. Read this somewhere: - What the private sector innovates - Government eventually propagates towards control. If you do not understand self-sovereignty and personal accountability, you do not understand freedom. Not your keys, not your coin or Nostr
The Jokestr https://m.primal.net/LHJf.jpg
Nice.
Everyone I know whose had a compromised account on the major social platforms never got it back no matter how hard they tried. Having a non-rotating key is important. if my key is compromised no bad actor can stop me from going in and posting "This account is compromised". they're complaining about something even X/Facebook/insta doesn't do well at. At least here once you find out you have a way Forward that doesn't include all your friends and family getting scammed.
I don't understand well how this works now... but I like it very much and I'm sure that more complexity is worse 🫂
https://image.nostr.build/9f697a2979bbd9fe62e61852bfa26ddf7115cc611a0a8fd144c9f48ad051355e.jpg nostr:nevent1qqsqqqycxet6zdj04dp4lxw95rr7wehlsz5scvv4axzearmksyqtmtspz4mhxue69uhhxarjvee8jtnfwf5hxtn5duhsygpm7rrrljungc6q0tuh5hj7ue863q73qlheu4vywtzwhx42a7j9n5ew7xx2
😂😂😂 #Nostr has been an upgrade for me 🤷🏿♂️🚀 nostr:note1qqqfsdjh5ymyl26rt7vutgx8uan0lq9fpscet6v9n68hdqgqhkhqczgl9j
Nostr is not a joke, it's RSS 3.0 in this age. But many Nostr apps are jokes.
yeah, you hear about the cyber space client yet. lmao
I like jokes :)
no one cares dude
