Oddbean

▲ ▼

 Review your key management practices today. 🔐 It’s important to stay secure, especially as we build more apps. 💜👀

nostr:note1qr85qsvq69es3s6403p04cnd3yaq34382ufuy25dt77pe3f5sj4qf9dpdm

▲ ▼

 Is it yet possible to have an offline key that can revoke and reissue the online key?

▲ ▼

 No, it's not. We can't revoke keys from accessing things that they had access before. Do you have any ideas around this?

▲ ▼

 Don't use the keys for access.

Revocation seems fairly simple on nostr. Not sure what needs explaining. 

The hard part of nostr delegation is the UX since keys are displayed to end users

▲ ▼

 Can you exactly explain the key management model in your mind?

▲ ▼

 Offline key signs messages about what other keys can represent it

Those other keys go in your clients

If one gets compromised, master key signs a revocation and merkle tree of pre-revocation signatures

▲ ▼

 That’s interesting. Instead of signing events, you sign delegations. 

This seems much better than what we have now.

▲ ▼

 that's NIP26 - Delegated event signing, but it's kinda deprecated: 
https://github.com/nostr-protocol/nips/blob/master/26.md

▲ ▼

 So review our key handling practices, but it's still impossible (or deprecated) to actually have good ones...?

▲ ▼

 thoughts?

cc:  @fiatjaf ,  @PABLOF7z

nostr:note12uj0j60pvzjtaaw2q2rqqc87y7lgwhqtpw06thahf5sqmxmftt8qqhqg4s

▲ ▼

 Excellent thread highlighting something that has been on my mind forever.

nostr:note1r79yxgy57vf50cfte8srwzn5ycz2ad2nzuuz2yxek2uur9jk5uzs0msvzw

▲ ▼

 do you think using delegated event signing (at least the way mentioned in NIP-26) is the best practice of managing our keys?

▲ ▼

 Key delegation and revokation (or even better, rotation) are badly needed, but NIP 26 isn't it.

Some recent discussion on the topic: https://github.com/nostr-protocol/nips/pull/1452

I'm sure your perspective on the problem would be very welcome.

▲ ▼

 It's not really necessary, because it is impossible.

▲ ▼

 Someday I'll sit down and singlehandedly solve social key rotation

▲ ▼

 #YESTR

▲ ▼

 How does it currently work? Do nostr clients store the private key on their servers after it's submitted by the user?

▲ ▼

 Usually it's stored in the app/browser, hopefully never on the server. You can also use extensions like nos2x or alby to protect your key from the app, or you can use NIP 46 signers like nsec.app or Amber to hold your own keys and sign remotely.

▲ ▼

 Thank you for the explanation. I'm looking at the NIP-46 doc and it's really a neat solution.

▲ ▼

 Working on it! Draft is up:

https://github.com/braydonf/nips/blob/key-migration-and-revocation/xx.md

https://github.com/nostr-protocol/nips/pull/1452

▲ ▼

 Best recommended ways to do that?

▲ ▼

 I would love to hear  @Vitor Pamplona &  @hodlbod &  @Alex Gleason opinions on key management practices 🤔

▲ ▼

 What do you do for yourself?

▲ ▼

 I just use nsec.app it's non custodial and works great everywhere except for ios

▲ ▼

 ios don't like anything non custodial

▲ ▼

 I think end users needs a good way to handle it.

Safe, accessible, easy.

Current key managers don't have these 3 at same time.

Sadly I'm one person. Otherwise it was my other project.

▲ ▼

 Nsec.app has self-hosted version now, should be pretty easy to run with Docker.

▲ ▼

 Thank you guys, I’ve got some homework to do

▲ ▼

 Also, what is docker? I’ve never came across that yet

▲ ▼

 https://www.docker.com/