https://tim-bouma.npub.pro/tag/identity/ https://tim-bouma.npub.pro/tag/identity/rss/ episodic Fri, 23 Aug 2024 15:31:02 GMT Fri, 23 Aug 2024 15:31:02 GMT https://tim-bouma.npub.pro/tag/identity/ https://raw.githubusercontent.com/trbouma/assets/main/profile_pic_crop.png Fri, 23 Aug 2024 15:31:02 GMT https://tim-bouma.npub.pro/post/note1a5vryh4f9feer22pns83wsprrxaamdc9d69ntw97t9zaw3ddmxvqnrf54z/ https://tim-bouma.npub.pro/post/note1a5vryh4f9feer22pns83wsprrxaamdc9d69ntw97t9zaw3ddmxvqnrf54z/ note1a5vryh4f9feer22pns83wsprrxaamdc9d69ntw97t9zaw3ddmxvqnrf54z bitcoin note1a5vryh4f9feer22pns83wsprrxaamdc9d69ntw97t9zaw3ddmxvqnrf54z npub1q6mcr8tlr3l4gus3sfnw6772s7zae6hqncmw5wj27ejud5wcxf7q0nx7d5 With #bitcoin:
1 btc = 1 btc

with #nostr:
1 npub is 1 npub

In the broader socioeconomic sense these might be considered as #money and #identity, but it is still early.

]]> With #bitcoin:
1 btc = 1 btc

with #nostr:
1 npub is 1 npub

In the broader socioeconomic sense these might be considered as #money and #identity, but it is still early.

]]> Wed, 10 Jul 2024 11:29:51 GMT https://tim-bouma.npub.pro/post/note1fqz6ak9s902ay9xekj3esjl7r6a443v2p0egj4647q3mz99pr5lq5rg344/ https://tim-bouma.npub.pro/post/note1fqz6ak9s902ay9xekj3esjl7r6a443v2p0egj4647q3mz99pr5lq5rg344/ note1fqz6ak9s902ay9xekj3esjl7r6a443v2p0egj4647q3mz99pr5lq5rg344 authentication note1fqz6ak9s902ay9xekj3esjl7r6a443v2p0egj4647q3mz99pr5lq5rg344 npub1q6mcr8tlr3l4gus3sfnw6772s7zae6hqncmw5wj27ejud5wcxf7q0nx7d5 I love the elegance of using npubs for solving the #authentication problem. Having an identifier that natively supports encrypted messaging and signing can vastly reduce the complexity of login (#authentication)solutions and eliminate entirely the need to store passwords.

But this still does not solve the #identity problem. If you are using the same npub to login to a multiplicity of sites, if your nsec is compromised, you’re screwed.

I’ve heard the criticism that login with npub is actually a ‘regression’ to less secure authentication but that’s not an authentication problem, that’s an identity problem.

The best approach is have seen to mitigating identity compromise is Lightning Login (#lud04) where the wallet derives a new pubic/private key for each site that is authenticating (using a hash of the domain to derive a new key pair). That way there is no correlation capability.

Carrying this over to #nostr, if a client is privy to your ‘identity’ (has your nsec), it should be able to derive different npubs for different domains, and handle all of the derivations so all those identities look like it’s all one from the perspective of the client.

So it’s a problem to be solved, but right now I see a huge benefit of just solving #authentication, getting rid of all those bespoke authenticator apps, and not become device-bound to someone’s hardware because of a passkey that refuses to leave the secure enclave.

]]> I love the elegance of using npubs for solving the #authentication problem. Having an identifier that natively supports encrypted messaging and signing can vastly reduce the complexity of login (#authentication)solutions and eliminate entirely the need to store passwords.

But this still does not solve the #identity problem. If you are using the same npub to login to a multiplicity of sites, if your nsec is compromised, you’re screwed.

I’ve heard the criticism that login with npub is actually a ‘regression’ to less secure authentication but that’s not an authentication problem, that’s an identity problem.

The best approach is have seen to mitigating identity compromise is Lightning Login (#lud04) where the wallet derives a new pubic/private key for each site that is authenticating (using a hash of the domain to derive a new key pair). That way there is no correlation capability.

Carrying this over to #nostr, if a client is privy to your ‘identity’ (has your nsec), it should be able to derive different npubs for different domains, and handle all of the derivations so all those identities look like it’s all one from the perspective of the client.

So it’s a problem to be solved, but right now I see a huge benefit of just solving #authentication, getting rid of all those bespoke authenticator apps, and not become device-bound to someone’s hardware because of a passkey that refuses to leave the secure enclave.

]]> Sat, 29 Jun 2024 12:32:18 GMT https://tim-bouma.npub.pro/post/note1g9ndkex904rx59kd785hq6fx9ejfzfu4dqunvekf90p9tl00hqpsmj2506/ https://tim-bouma.npub.pro/post/note1g9ndkex904rx59kd785hq6fx9ejfzfu4dqunvekf90p9tl00hqpsmj2506/ note1g9ndkex904rx59kd785hq6fx9ejfzfu4dqunvekf90p9tl00hqpsmj2506 nostr note1g9ndkex904rx59kd785hq6fx9ejfzfu4dqunvekf90p9tl00hqpsmj2506 npub1q6mcr8tlr3l4gus3sfnw6772s7zae6hqncmw5wj27ejud5wcxf7q0nx7d5 Once again, I am becoming more confident that #nostr and its signed event model is the right way to go. This time around, the model has helped to clarify the distinction between #identifier and #identity.

We’ve all been guilty of using these terms interchangeably, if not as equivalent. I often refer to my npub as my ‘identity’, the shorthand way of referring to my ‘identifier’. I also think of them as being the same, with the knowledge that my ‘identity’ actually exists outside of any one system.

Now with #nostr, the distinction has been clarified: my ‘identifier’ is my npub (straightforward enough) however my ‘identity’ is my npub PLUS a set of events of events signed by my npub.

At its most rudimentary level, my identity is my npub + a kind 0 event with metadata. What is interesting, my identity can change over time if I sign and publish a new kind 0 event.

As well, my identity might look different to different people - the best example is a signed nip04 event that is encrypted and readable by only one other npub. My identity is different to that one npub as it would be to another npub that does not have access to that nip04 message.

This line of thinking about ‘identity’ opens up a way to rotate npubs (use a different identifier), yet keep the same ‘identity’. A possible approach is to create a new npub that signed in a way to be used next in the chain if the old npub is compromised.

Anyway, just some thoughts on the distinction between ‘identifier’ and ‘identity’ - it’s the addition of signed events.

]]> Once again, I am becoming more confident that #nostr and its signed event model is the right way to go. This time around, the model has helped to clarify the distinction between #identifier and #identity.

We’ve all been guilty of using these terms interchangeably, if not as equivalent. I often refer to my npub as my ‘identity’, the shorthand way of referring to my ‘identifier’. I also think of them as being the same, with the knowledge that my ‘identity’ actually exists outside of any one system.

Now with #nostr, the distinction has been clarified: my ‘identifier’ is my npub (straightforward enough) however my ‘identity’ is my npub PLUS a set of events of events signed by my npub.

At its most rudimentary level, my identity is my npub + a kind 0 event with metadata. What is interesting, my identity can change over time if I sign and publish a new kind 0 event.

As well, my identity might look different to different people - the best example is a signed nip04 event that is encrypted and readable by only one other npub. My identity is different to that one npub as it would be to another npub that does not have access to that nip04 message.

This line of thinking about ‘identity’ opens up a way to rotate npubs (use a different identifier), yet keep the same ‘identity’. A possible approach is to create a new npub that signed in a way to be used next in the chain if the old npub is compromised.

Anyway, just some thoughts on the distinction between ‘identifier’ and ‘identity’ - it’s the addition of signed events.

]]>