Oddbean new post about | logout
dtonon | 1 months ago (raw) | root | parent | reply | flag 
 How can they tied someone else pubkey to their name?
NIP-05 includes the pubkey, the client verify that it matches with the pubkey of the (signed) kind:0 profile where the NIP-05 is saved, that's all.
Signing the NIP-05 doesn't improve this process.

Actually, signing NIP-05 could prevent someone, after hacking the server, from modifying NIP-05 itself. But it is a borderline case, adds a layer of complexity, and seems unnecessary for a simple identification tool.
acf88a03 | 1 months ago (raw) | root | parent | reply | flag 
 no, their tie their pubkey to someone elses name. Signing would prevent name-spoofing.

For example, i cannot post a message to a relay with your pubkey because i can't sign the message, but i can create a profile with your name and my pubkey because there is no verification. I don't need to hack your server, just create doubt.

btw thanks for responding, i'm implementing a relay and getting to grips with the NIPs, so would be good to know if i misunderstand things.
dtonon | 1 months ago (raw) | root | parent | reply | flag +1 
 There is no way to lock a name, you can also legitimately be daniele; and this is a different matter from NIP-05, that instead is unique and can be verified.
In your example signing would not help, just check the author npub, that's the source of truth (and indeed it is used in a signature check).

Thank you for building :)