Sharing on how I have implemented Web of Trust (WoT) and Root of Trust (RoT) in #nostr #safebox. There are four steps to the verification:

1. Validation: Is the record crpytographically valid?
2. Presenter: Is the record coming from whom to whom is was issued?
3. Attested By Owner: Did the owner attested that the issuing safebox was theirs?
4. In Trust List: Is the Owner in Trust List.

Steps 3 and 4 are independent attestations. For Step 3 the verifier looks up an event signed by the owner that they are indeed the owner of the issuing safebox. Step 4, the verification process has a list of 'root authorities' that are simply npubs, looks up the followers of those npubs and uses that as the 'Trust List'. In this example, there is an account called 'Safebox Trusted Entities', but it could be any account maintained by an organization, such as a College of Physicians, that might want to manage a list of doctors.

Up until now, these schemes needs to be managed by 'specialized authorities' such as certificate authorities, or organizations with proprietary databases. Now with #nostr, we can make these schemes completely open, transparent - not capturable by a technical authority. In short, everyone can become their own root of authority, manage their own trust lists, and also decide which roots to trust when verifying.

This is just a prototype, but it already demonstrates technical capabilities that are stronger and more reslient - and more open than any certificate authority program or public key directory that is out there, including what is being used by passports, driving licenses, or national authority.

Onward!