Oddbean new post about login | logout It is resolved by NIP5 : https://nips.nostr.com/5
Sure but it takes some effort to setup.
If we are talking about how 95% of people use it, then not at all. Many beginner friendly Nostr clients now automatically assigns nip05 address for you. So it kinda failed as a 'verification' mechanism unless you have a well known domain that belongs to you and took the effort to set it up.
Partially wrong. NIP-5 as used by 99.9% of people doesn't "verify" anything. It is just an handy way to share/search contacts. Only people that own a well known domain can leverage it as attestation of their connection with it.
We should stop pairing NIP-5 with the word "verification". For newcomers it risks being a shitcoin game. Use NIP-5 for its real functions and embrace WoT for actual contacts check. nostr:nevent1qqsqcjkzhd6zw6mr0n056gtu4zpufp7gvf0m80w0037thcwt8q4mx5cprfmhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5hsygrmmmmmugka3evlgcqwq3922wsul966nhrayl04svauwldhsjjcq5psgqqqqqqsgjxkct
Agreed. PoW keys are a step in the right direction, but even better are what I call PoW endorsements. https://pippellia.com/pippellia/Social+Graph/Navigating+the+social+graph#PoW+endorsement
PoW is a powerful tool, but I don't like mixing money in the verification process, it becomes an upward game where the economically strongest wins. The social graph should be enough, and it's harder to hack.
It's difficult to game it tough. An attacker can pay a miner 10$ to get his PoW checkmark, however, unless he's followed or interact with many other real an trusted people, he'll lose that initial weight in algos like Trustrank.
Creating an identity on nostr is basically free. So imagine an attacker creates a whole new network of nibs following each other, exactly replicating the structure of the real network of npubs, same structure. The two graphs are isomorfic, so any graph analysis will yield the same result. Hence, if you don't have a pov (e.g brand new npubs that don't follow anyone) you can't distinguish between the two, hence my focus on PoW for this case.
Actually, this could be a problem for brand new npubs starting with zero known contacts, but it seems a quite rare case. I think the normality is to be onboarded at least by a friend, or discovering a new app/platform, where I interacted with legittimate users. I would not overcomplicate things. Btw, IRL connections win.
This is the most difficult part. A brand new npub doesn't have a wot network from his pov, but that's not a big deal - onboarding client should ask them about their content preferences/hashtags and even if user doesn't choose to follow someone and get his wot seeded, client could use some popular accounts from the topics user has chosen to serve as temporary wot sources. The bigger problem is that relays can't distinguish a brand new npub from spam. I.e. if someone big tweets about nostr and a wave of new people comes in short time, it's indistinguishable from a spam attack from a botnet. And pow doesn't help much - you'd need something like 100 seconds of mobile cpu to produce pow equivalent to 1 sat - and I bet reply-scammers earn way more than 1 sat per event they post. I keep getting back to this issue in my head from time to time, and still can't find a good general solution, only whack-a-mole. Users can be protected from spam by wot, but public relays designed to onboard new users can't. Unless we attach some extra signal to new users (pow? 1 sat? some version of your pow endorsement?) while keeping the friction low. Any ideas how "pow endorsement" could be practically applied to onboarding users at scale with low friction?
PoW endorsements can be computed by specialized miners, because who computes them isn't important. I am not talking about PoW on every note. PoW endorsements are like PoW keys, but better. However, that's not necessarily useful for new users. But then the question is, how can someone enter nostr? Maybe the answer is that they need a invite of some sort to surpass the "reputation threshold". E.g. the user gets invited by someone and that someone automatically follows them. Or, the user gets invited into a NIP29 (?) community, and so proof of membership in a reputable community can be used.
cc @nielliesmons I am spreading your idea of communities as entry points.
> Maybe the answer is that they need a invite of some sort to surpass the "reputation threshold". That's the only plausible idea to me too, but it doesn't solve someone hearing "nostr" on twitter and googling it and trying to get onboarded.
yep, it doesn't. Maybe, just maybe, that's a feature. U know, invite-only socials have a sense of exclusivity.
Unfortunately the applied solution will be "please type these letters from the image" unless we figure something out
yeah, but I am not that pessimistic. It's an order of magnitude better to do chaptas ONLY ONCE and then rely on your acquired reputation, than solving them all the time
because the values are computed from your position on the graph the fact they have weak links to the rest of the network will still diminish their ranks
ofc, but that's why I said "if u don't have a pov", meaning u are a new users that doesn't follow anyone.
that is probably a bad place to start, but also pretty uncommon, almost everyone knows someone who says "i'm on nostr" and they first follow them even if there is no onboarding procedure
not sure. That's true for our "community" of Bitcoiners, but that might not be true in general.
PoW is also not a verification system. Spammers are more than willing to pay to spam better. They will even buy batches of email addresses, run bots etc… Spammers pay. "Normal" users, commonly, do not.
nothing is a perfect verification system. However, verifiable cost kills 99% of bots, which might be enough.
Why do you think so? Again, spammers are absolutely willing to pay. It's by paying that they have become so prominent on the web. The fact that the cost is "verifiable" doesn't make much of a difference.
Just look at Twitter. I would say 99% of bots haven't the blue check. It's a matter of economic margin. There are spamming methods that are economical at 5¢ that aren't at 10$. And, this PoW stuff that I am talking about, is to be used to help a new user bootstrap his own web of not spam.
It's also useful for proving affiliation with a project or community.
Actually, you can have more NIP-5.
I have 5 of them. 🤷♀️ My point is that I switch them out, on purpose, to show affiliation or to help someone market their project. I low-key wish I could add them all to my profile. 😂
What are NIP-5 real functions?
Share a contact, search a contact. Think of it as a shortcut to a nprofile (npubs + relays hints).
Thanks a lot. Need to ask about relay hints. In this context what would that be?
Tell people where you write your notes and where you would like to read replies. Aka Outbox (originally called "gossip") model. https://mikedilger.com/gossip-model/ This is the foundation of Nostr decentralised structure.
What's the best way to implement WoT?
It'a client job, leveraging the social graph and maybe other metrics. Coracle.social was probably the first to introduce the WoT concept, and it has a great implementation. Read a summary here: https://pippellia.com/pippellia/Social+Graph/Navigating+the+social+graph#Principle+of+least+interference
agree
As a newcomer I found it confusing. Though maybe the concept of verification could be emulated with a competing set of verifiers that the client chooses to adhere to 🤔
I still like the idea of badges for those who have earned them through tasks at live events Or badges for people who zap others a lot and participate in the economy I think we should look to the boyscouts to see what they do- I’ve never been a part of that cult (😂 /s), but they probably have some good ideas
Nice idea, but the problem here is the "value" of the badges. It is necessary bounded to whom create them, they are just a passthrough, so we are falling back to the Web of Trust.
If you make them assigned to tasks it’s a protocol Like being an only-zaps person makes you cooler idc There should be a special only-zaps relay
Someone has to sign the badge; the protocol cannot do it alone. So this “someone” gives trust/value to the badge.
The whole concept of "verification" is bound to centralized structures, it should be buried. Self-verification is a state of mind. Instead, verifying someone/something else is a matter of active experience and interactions, which minimize the trust factor. Of course technology helps, but also WoT needs to be verified and not blindly trusted. "Proof of work" means taking responsibility for everything we care about, exactly like we do (should do) in real life.
There is no way I can fathom doing it without trusted parties, sure. I guess I haven't truly embreced the philosophy already but hypothetically, community bound verifications, though trust reliant could be put in place if desired
> The whole concept of "verification" is bound to centralized structures, it should be buried. It doesn't have to be. There can be multiple verifiers and a single pubkey can be verified by many of them. If among the verifiers that verify me there is at least one which is included in your trusted list, your client should show me as verified. This would be a level of decentralization similar to that of relays (in the inbox model). The issue with NIP-05, if it were a verification system (it's not), would be that an account can only be "verified" by one "verifier". So an account would have to pick just one and you'd be forced to "trust" any widely used one (if you want to rely on verification at all), leading to centralization.
I agree, NIP-5 has nothing to do with verification. I think a (decentralized) verification system on Nostr is possible, but it would have nothing whatsoever to do with NIP-5.
My bet is that 99.9% of the world is onboarded via some already active Nostr user OR using a well known client, that so takes the responsability for not exposing only one totally fake network.
i'd agree, but go further and say less than 1/1000 users are not going to jump in with at least one legit person to start off with, probably more like 1/10000 and so long as the clients default to networks composed of mostly real people fake networks and fake relays are in the same category as scams in general, and probably the subject matter of such fake networks would be pump and dump and other kinds of scammy shitcoinery
First paragraph is wide of the mark - I didn't know any of you freaks before I spun up my npub :) And a lot of people I talk to under #introductions be the same. Sample on convenience etc etc, YMMV, but I'm pretty sure we "walk-ins" are a majority of new npubs. The rest of your post I agree with.
Accurate. I knew no one, only of people talking about it. Everyone I've helped get set up, that I've taken the time to ask, has either watched a video or read an article that piqued their interest.
yeah but you found gigi or jeff booth or lyn or something, or someone anyone dropping their npub, i mean, it's pretty unlikely that you even go to nostr without one person in your mind to follow here, in my opinion most people talk about the people, and the protocol, not the client apps
I'm just saying that some people are so ubiquitously known that knowing of them & searching them out doesn't provide much proof of anything about the person searching & following. I'm probably misunderstanding something somewhere... I should just stay in my lane 😅
well it would be a red flag to spot an influencoor on nostr from X and they only show 5000 followers while they have a million on twitter
Eventually, yes. Once they establish themselves. That number is also incredibly unstable though so is it really reliable?
well, we can't bring all the stray lambs back from the brush but i think in the next 6 months a lot of tools will exist that will improve this... i for one am looking forward to the map of Nostr
i'd agree, but go further and say less than 1/1000 users are not going to jump in with at least one legit person to start off with, probably more like 1/10000 and so long as the clients default to networks composed of mostly real people fake networks and fake relays are in the same category as scams in general, and probably the subject matter of such fake networks would be pump and dump and other kinds of scammy shitcoinery
First paragraph is wide of the mark - I didn't know any of you freaks before I spun up my npub :) And a lot of people I talk to under #introductions be the same. Sample on convenience etc etc, YMMV, but I'm pretty sure we "walk-ins" are a majority of new npubs. The rest of your post I agree with.
Accurate. I knew no one, only of people talking about it. Everyone I've helped get set up, that I've taken the time to ask, has either watched a video or read an article that piqued their interest.
yeah but you found gigi or jeff booth or lyn or something, or someone anyone dropping their npub, i mean, it's pretty unlikely that you even go to nostr without one person in your mind to follow here, in my opinion most people talk about the people, and the protocol, not the client apps
I'm just saying that some people are so ubiquitously known that knowing of them & searching them out doesn't provide much proof of anything about the person searching & following. I'm probably misunderstanding something somewhere... I should just stay in my lane 😅
well it would be a red flag to spot an influencoor on nostr from X and they only show 5000 followers while they have a million on twitter
Eventually, yes. Once they establish themselves. That number is also incredibly unstable though so is it really reliable?
well, we can't bring all the stray lambs back from the brush but i think in the next 6 months a lot of tools will exist that will improve this... i for one am looking forward to the map of Nostr
Yes, and what I mean is that the cost of solving a captcha by automation services is 0.5-30$, I pay for it, spam the shit out of that npub for 1 month, scam people on >30$ and get profit. So it might raise the bar, but not really solve it.