Sure, extensions are great, but there are a lot of users that aren't going to go through the steps to install a browser extension to use a website. Also, an extension is good for my laptop but it doesn't help me out much on mobile. 

With this setup, you are able to have the convenience of a custodial solution, but, you aren't able to get rugged if they act dishonestly. Now you can effectively rotate your keys without comprimising your npub 

 who would be the custodians? 

 Anyone who wants to run a bunker. I would imagine this will be a premium service that can be provided virtually for free. It is very light on the server. 

 I suspect using FROST is what allows rotating keys without changing your npub. You can do the same for on-chain multisig… rotate a cosigner out without needing to do an on-chain transaction to a new wallet. 

 That’s cool. I didn’t know that was possible. 

 Great questions, 
1. FROST allows for the signature aggregation step to occur without a trusted 3rd party. With something like vanilla shamir secret sharing, you'd need a trusted aggregator to bring together the partial key shares to re-create the root key and sign the message. Here, all share holders can operate independently and never expose their share to anyone else. This also allows us to rotate key shares should some n<T number of share holders become dishonest.

2. Absolutely, I was thinking something like a 3-of-4 set up could be quite cool where you have 1 client key and 3 bunker keys. Whenever you need an event signed, the client creates it and requests signatures from the bunkers, and once at least 2 of them respond, the client can add the client key signature and publish the event. You can keep chaining bunkers indefinitely and continue to improve the trust assumptions, as well as the complexity of the signing coordination.

3. I'm not sure if you can seed this with and existing pubkey and then generate the shares from there. I reckon it should be possible, but going to need to look into that.

4. There are not too many great technical explanations on FROST yet, unfortunately. I would recommend listening to:
- https://www.youtube.com/watch?v=8nuFt-1SWRI
- https://www.youtube.com/watch?v=ReN0kMzDFro
and check out the read me of https://github.com/jesseposner/FROST-BIP340 

 You totally could replicate the nsecbunker "google-like" auth flow on the clients where rather than whitelisting a delegate key, this additional bunker just sends over the encrypted client secret. The important thing is that you aren't trusting a single entity with >= the threshold shares necessary to craft a valid signature. As long as that remains true, you can still safety rotate keys and know that any single malicious entity could not rug you. 

 How do we encrypt/decrypt DMs with Frost? 

 I haven't worked through how that would work yet. I'm by no means an expert on this stuff so I'm not sure if its possible. Hoping to chat with some ppl about this in Nashville next week! 

 Also if you need to be online to assist the bunker, why not just self host?

Not clear what is additive to this  

 Buut the root key have to be able to sign events righ? Or how this root key can sign without being online? 

 That’s the beauty frost. The key shares are able to signed valid messages for the root key if they meet the threshold needed (which is set during the key generation step)

So a client + bunker key pair means valid root key signed messages 

 Ah. Good point. Just have to validate the creation of the final piece.  

 You know, I think this should be considered best practice also for experienced Nostriches... the nsec should imho never have to leave the nest.. ever! Then, if we are at that stage, we can begin building Apps that require security guarantees on Nostr. This is not viable right now!
Great work!! 

 he probably blocked me for asking too many "stupid" questions.... He uses to be responsive, lol.  

 he’s prob just busy playing with his nutsack, give him some time 

 is nearly a year enough, lol? 

 sheeeesshh that’s a long time