-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why no Nip49 signer? #216
Comments
Just asking before I head down the rabbit hole of writing one... |
Hey - there isn't any reason that this doesn't exist in NDK yet other than the fact that neither @pablof7z or I have had any reason to write it yet. From reading through the NIP, I'm still not 100% clear I understand the UX of using one of these ncrypt keys, can you give me an example? |
My own use case is as an "interim" solution to nip46. Allows login with U&P and providing PRIVATE key storage for onboarding new accounts.
So my solution would be to implement (yet another) Nostr login flow to the mix. With an "ncrypt" signer (that could keep private nsec OUT of storage completely), people COULD safely paste encrypted keys between web clients. Here's a link for you (to present and edit invites to your friends) https://nostrmeet.me?jeffg@jeffg.fyi And for people you wanna invite to Nostr.. (where the QR lands people to create accounts in the manner described above) https://nostrmeet.me/jeffg@jeffg.fyi And for people who have CREATED accounts (in the manner above), they can login with U&P on the home page, where ncrypt will be downloaded and decrypted on request (currently stored in hot app memory... but with a signer this could be handled better) |
Ok cool. Makes sense. It would be great if you wanted to create a PR for this - I think you'd be able to follow the NDKPrivateKey code as a template. |
Will do. Thanks for taking a look and considering my idea ahead of time... |
Seems to me, an NDKSigner that dynamically decrypts an encrypted private key ONLY for signing events could be useful? Am I missing something?
pasting ncrypt into web browser clients is LESS BAD than pasting nsec, and allows for MORE login options
if raw nsec is NOT stored (even in memory) by client, ncrypt login becomes even more secure. (different from but maybe not worse than Nip07?)
Signer could store an "ACL" (like Nip07 implementers do, but encrypted in local storage and decrypted upon next login) for granting access to certain events without having to decrypt the ncrypt (ask for password) every time.
Password need not be stored or managed by client implementors. Password input (and event auth) UI could be handled BY the signer (unlike Nip07 signer) via an NDK svelte component for easier implementation.
Am I missing something?
https://github.com/nostr-protocol/nips/blob/master/49.md
The text was updated successfully, but these errors were encountered: