reposting this blurb from one of my replies to #asknostr because I’m curious about any thoughts on key security or updates in key management to help avoid loss/theft of nostr keys. I feel like nostr needs a signing device that can generate your key offline, airgapped and hold the keys and sign events only onboard like a bitcoin HW. I think it’s that important. This is probably where someone tells me this already exists! There’s

NostrTool

developed by @Keith Mukai of the seedsigner project, which lets you create a #nostr key offline from a standard seed phrase, so the software already exists. Perhaps this could just be added to the seedsigner interface in the future?? That would be amazing. Anyway: “The one fear I have is the single point of failure in the nsec key, and what happens if someone gets a hold of yours. Is there a permissionless 2FA that can be introduced to the login process? I saw Damus has the ability to sign some kind of termination event on your account if, say, someone started rogue posting with your stolen key, but I don’t know how the relays handle this or if other clients would still let them post as you. Someone could decrypt all your DMs with your key, etc. I suppose signing apps are one answer, where you only import your nsec key once, then use that app to sign an event that proves it’s you in order to log into other apps, but this key slinging is a bit scary, and should be treated with the same seriousness as guarding a seed phrase to a cold wallet. More is needed here to protect nostriches from key loss/theft.”

GFY could also mean “Good For You” just sayin #gm

#gm nostr I want to #asknostr about their main identities. I’m too chicken shit to join as myREALself at this point, although it would increase my credibility tenfold as a published author on cryptography, because I fear combining my real identity, which already exists online elsewhere, with my nostr activity because I have always wanted to keep my bitcoin involvement separate from the real me online to avoid any unwanted attention, or home invasions. I’m so impressed & empowered to see folks being their real selves, but then I wonder if there’s any real benefit. Do you keep multiple identities for different moods, do you just have one? is it your real name? Thoughts?

#gm #music #musicstr #tunstr Andrew Bird & St Vincent | Soirée de Poche #art #artstr #coffeechain

Multisig backups are a mess. The BSMS standard exists, but in my experience, the BSMS files are not compatible 100% from wallet to wallet. I’ve tried and some wallets fail to load BSMS files created by others. Period. This leaves me feeling like I would need to rely on one wallet vendor for recovery instead of the basic and universal, uncomplicated seed phrase. So for long term storage, it’s frightening to feel like you might have problems later if your chosen wallet vendor vanishes. You need to be concerned with derivation paths, key fingerprints and all that mess. My question is: has anyone simplified multisig (self-custody) backups to the fool-proof level of seed phrase simplicity? #asknostr #multisig