Oddbean new post about | logout
 Practice safe nsecs 
 Someone have to design condoms with this branding on 
 This line got a few laughs at Nostriga 🥹 
 Review your key management practices today. 🔐 It’s important to stay secure, especially as we build more apps. 💜👀

nostr:note1qr85qsvq69es3s6403p04cnd3yaq34382ufuy25dt77pe3f5sj4qf9dpdm  
 Is it yet possible to have an offline key that can revoke and reissue the online key? 
 No, it's not. We can't revoke keys from accessing things that they had access before. Do you have any ideas around this? 
 Don't use the keys for access.

Revocation seems fairly simple on nostr. Not sure what needs explaining. 

The hard part of nostr delegation is the UX since keys are displayed to end users 
 Can you exactly explain the key management model in your mind? 
 Offline key signs messages about what other keys can represent it

Those other keys go in your clients

If one gets compromised, master key signs a revocation and merkle tree of pre-revocation signatures 
 That’s interesting. Instead of signing events, you sign delegations. 

This seems much better than what we have now. 
 that's NIP26 - Delegated event signing, but it's kinda deprecated: 
https://github.com/nostr-protocol/nips/blob/master/26.md 
 So review our key handling practices, but it's still impossible (or deprecated) to actually have good ones...? 
 do you think using delegated event signing (at least the way mentioned in NIP-26) is the best practice of managing our keys? 
 Key delegation and revokation (or even better, rotation) are badly needed, but NIP 26 isn't it.

Some recent discussion on the topic: https://github.com/nostr-protocol/nips/pull/1452

I'm sure your perspective on the problem would be very welcome. 
 It's not really necessary, because it is impossible. 
 Someday I'll sit down and singlehandedly solve social key rotation 
 #YESTR 
 How does it currently work? Do nostr clients store the private key on their servers after it's submitted by the user? 
 Usually it's stored in the app/browser, hopefully never on the server. You can also use extensions like nos2x or alby to protect your key from the app, or you can use NIP 46 signers like nsec.app or Amber to hold your own keys and sign remotely. 
 Thank you for the explanation. I'm looking at the NIP-46 doc and it's really a neat solution.  
 Best recommended ways to do that? 
 I would love to hear  @Vitor Pamplona &  @hodlbod &  @Alex Gleason opinions on key management practices 🤔 
 What do you do for yourself? 
 I just use nsec.app it's non custodial and works great everywhere except for ios 
 ios don't like anything non custodial 
 I think end users needs a good way to handle it.

Safe, accessible, easy.

Current key managers don't have these 3 at same time.

Sadly I'm one person. Otherwise it was my other project. 
 nostr:nevent1qqsqleg883x4hjcx9d4djvl7ucakl3ekvygg9c22dj3ww262ylrs4gspzemhxue69uhhqatjwpkx2un9d3shjtnrdakj7q3q8ams6ewn5aj2n3wt2qawzglx9mr4nzksxhvrdc4gzrecw7n5tvjqxpqqqqqqzyd770a 
 I think it’s a good way of marketing the importance of protecting private keys.

We all slip up as we learn this system. 
 Nsec.app has self-hosted version now, should be pretty easy to run with Docker. 
 Thank you guys, I’ve got some homework to do 
 Also, what is docker? I’ve never came across that yet