No, feels like running up against the laws of physics (and sociology). Way I see it, if a human being privately lays eyes on an nsec then we have to assume that nsec is locked to that human being forever. They may or may not have copied it, taken a photo, written it into their Rainman photographic memory, whatever, but for security's sake we have to assume that it’s locked to them forever. Going further, if a human being *could have* privately lain eyes on a nsec (i.e. they had some access and we can't prove that they didn't make use of that access) we have to assume that they did. And so on. All the general corporate security assumptions. In most cases there is no real way for Nostr account to be a practical thing to use without a the possibility of a human being laying eyes on the nsec. (It can be a very impractical thing to use, like sharded up the ying-yang, but that's another story.) And a corporate nsec just doesn't work any more once it's been forever-locked to a human being who could leave the company on bad terms (or is just a jerk). It has to be burned. My solution is to focus on Nostr use cases within companies, mainly as a way to bring frontline workers who don't have any digital identity within their company systems into the social fold. Because each company controls every relay in such an internal Nostr network then you always have whitelisting/blacklisting to fall back on if an nsec is exposed. So relay as the highest level, not nsec. Basically just avoiding the problem. Though enclaves still very useful for that use case, your work on nitro is groundbreaking stuff.

> In most cases there is no real way for Nostr account to be a practical thing to use without a the possibility of a human being laying eyes on the nsec. If nsec is generated inside an enclave and bunker url is returned then no human has seen it. If some "policy" was provided when nsec was generated, like "require m-of-n multisig to change perms, rotate the bunker url, change this policy, etc", then a board of directors can control the nsec without seeing it, and if one of humans leaves they can change the policy and the bunker url. Does this make any sense, or is there still a fundamental flaw here and we're just kicking the can?