Keys security

[dreson4]

The fact that anyone can make a client and request user's private keys is a big security risk. If we have 10s of clients there's a chance at least one of them will get compromised.
Not sure if there's already a solution for this.

How about we link keys?
A user can generate new private keys on every client instead of sharing the same key, link the public key to other public keys that they have that way one user can have multiple keys but same identity. When one key is compromised they can simply use other keys to delete the compromised one.

Just a thought, not sure if this is possible in the current implementation or not, I'm still reading through trying to understand it fully. Any ideas are welcome.

[armlesshobo]

I wonder why we can't just encrypt messages with a user's public key such that only they can decrypt it with their private key. That way, no one needs to share the private key.

[kevinsmith]

It's definitely a problem. I'd consider it the greatest barrier to adoption. While we do need better security around private keys, I'd argue it's critical that we have a way of rotating keys when a private key is inevitably compromised. (It appears that may have happened to a lot of users just this week.) If we don't have a mechanism for replacing our compromised private keys, people will get fed up and stop using it.

Here's my current thinking on a set of NIPs that could help solve this. #45 (comment)

[fix]

this is by far the most difficult aspect, keeping the key for long term without risk of compromission.

This is a long hanging fruit since the birth of pgp. A good reading about it here:
https://words.filippo.io/giving-up-on-long-term-pgp/

[smartcomet]

I suggest master-signing private keys mechanism. Master public key represents User id, and user can use different signing private key at different client.
We just need a new event like below:
new_signing_key_event_id, signature by signing_private_key, signing_public_key,
signature of sign_public_key by master_private_key, master_public_key
It tells every relays that the signing private key is own by the master key. So master private key only signs new signing key event id which changes to a new signing private key, then it is safe to keep master key unrevealing.

[wsq003]

Any private key can be lost. Some kind of Real Name service is necessary. Real Name service will declare that a new public key is inheriting old public key. Clients can choose which Real Name service to trust.
Public-Key-Inherit could be a new NIP.

[fiatjaf]

Nice try, fed.

[ghost]

Having a key compromised does not stop you from using it. A user can then post their new public key and make a case for why they are the initial key holder and not an impersonator.

There should be a feature in the protocol whereby a user can mark themselves as compromised, so that their subscribers will be alerted by the client software that they need to figure out which new public key is the right one through either being convinced by a message or out of band.