Oddbean new post about | logout
Alex Gleason 🐍 | 9 days ago (raw) | root | parent | reply | flag +2 
 I don't think Pleroma FE can work without hacking it since it doesn't support OAuth login to begin with. That's an L on their part IMO. You're right, the bunker stuff is underbaked. I'm still thinking on that. The obvious solution that fixes everything is to just allow username and password login. But it defeats the purpose of Nostr. So I don't know the solution yet. I will keep experimenting. In the meantime we should just make Soapbox work correctly.
melvincarvalho | 9 days ago (raw) | root | parent | reply | flag +1 
 I log into solid either with nostr NIP-98 or username/password or OIDC.  You can do the same with SSH.  Some VPS make you log in with password first time.  There's no real "defeats the purpose" of SSH.  Same with nostr, just use the right tool for the right job.  It's going to take years to transitions users from what they are used to, in any case.

https://image.nostr.build/11d185d5e99c342e60b49c93082b7929c9f81a8e871281a598c89aaf0507e681.jpg
Alex Gleason 🐍 | 9 days ago (raw) | root | parent | reply | flag +3 
 I wish it were that simple. But I have to sign events with their key - ssh doesn't. So it's not just a "tell me who you are" problem, but a "how do I BE you" problem. The only way to accept a password is to custody the user's keys, which I do think defeats the purpose. ActivityPub and Bluesky have keys too (held by the server instead of the user), and this is the one thing about Nostr that makes it matter. That users control their own key.
melvincarvalho | 9 days ago (raw) | root | parent | reply | flag +1 
 Delegation?  Subkeys?  Oauth does delegated auth.  GPG has subkeys.  Subkeys seem like the most logical future-proofed solution.  And it has the advantage that it can be built piece by piece, rather than, being locked in to a hack with high technical debt.
Alex Gleason 🐍 | 9 days ago (raw) | root | parent | reply | flag 
 Subkeys or delegation would solve this problem more elegantly, but it would require all clients and relays to change.

I'm currently using nip46. Soapbox is a modified Mastodon client, so I could make it work. But for unmodified Mastodon clients, i have to have the user run a separate program that signs the events alongside the client, so they don't have to expose their key to the server.​
melvincarvalho | 8 days ago (raw) | root | parent | reply | flag +2 
 Good clients change, bad clients get left behind.  There might be a graceful way to do it that doesnt require everyone to upgrade.  

For profile you can keep the same profile pic, maybe have a little dot on there to indicate subkey.  It can be verified.  Perhaps also something can go in NIP-05.

Tricky thing is pulling in all the replies etc.  Worst case is that someone follows your subkey too.  Then the WoT stuff gets more complex.  Also NIP-98 gets more complext.  It could be done in stages.

I do admit I'm probably over-simplifying things!
melvincarvalho | 9 days ago (raw) | root | parent | reply | flag 
 Simplest implementation:

- Put subkeys in an array in your profile, key = "subkey"
- If it is a single string, it is treated as array of length 1
- It is already signed by the user and pulled in by all clients
- Clients can optionally respect it
- Visual indicator on the UI, to show it's a subkey of parent
- [Optionally?] parent can go in the subkey profile
- Other things can be layered on in time, such as revocation, rotation, time stamping, and so on