clients must sign the events or the relay will not accept them, unlike clients, relays don't have the ability to skip that step
the signer is the issue then, but i personally dispute the theory that a web app can't be trusted to keep keys
most shitcoin web apps keep keys in the browser, there is strong isolation in web browsers now in part because of the amount of apps now existing that need to make and check signatures, i mean, the app i'm building part of the back end infrastructure for right now even uses a third party web service called web3auth that secures the key for users, i mean, lol, nostr devs worrying about their singular client app leaking secrets is quite laughable, and then on top to be complaining about then how signers, which are supposed to implement policies for signing, both bunkers and extension signers, i fail to see what the basis is for the complaint
i'm inclined to even say that if i was to build a web based client (and i'm part way through building a bunker) that i'd probably retain the option of the user being able to sign in with an nsec
the danger of breach is way overblown, browsers are not as insecure as they were even just 5 years ago, and back in 2016 i was using a web app that signed events to publish to a blockchain forum system was all there and literally zero incidents of people losing control of keys. 9 years ago.
mleku
npub1fj…mleku
2025-05-20 15:43:52
in reply to nevent1q…0gt9
Author Public Key
npub1fjqqy4a93z5zsjwsfxqhc2764kvykfdyttvldkkkdera8dr78vhsmmlekuPublished at
2025-05-20 15:43:52Event JSON
{
"id": "abdd8dff1c03c630ceb79cbbbf20b13af3a67feb80cf410d47de2a107a15a3fc",
"pubkey": "4c800257a588a82849d049817c2bdaad984b25a45ad9f6dad66e47d3b47e3b2f",
"created_at": 1747755832,
"kind": 1,
"tags": [
[
"e",
"41db26ef381e789bc0c7dc809295166205506a173a5f121ce641fb649b2e6a7c",
"wss://relay.damus.io/",
"root",
"266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5"
],
[
"e",
"5dcbf25d6a23b6d2ad9bb5fa33ddc0290dd838e1129edd51e8ebf2240315e30c",
"wss://nos.lol/",
"reply",
"8125b911ed0e94dbe3008a0be48cfe5cd0c0b05923cfff917ae7e87da8400883"
],
[
"p",
"266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5"
],
[
"p",
"8125b911ed0e94dbe3008a0be48cfe5cd0c0b05923cfff917ae7e87da8400883"
]
],
"content": "clients must sign the events or the relay will not accept them, unlike clients, relays don't have the ability to skip that step\n\nthe signer is the issue then, but i personally dispute the theory that a web app can't be trusted to keep keys\n\nmost shitcoin web apps keep keys in the browser, there is strong isolation in web browsers now in part because of the amount of apps now existing that need to make and check signatures, i mean, the app i'm building part of the back end infrastructure for right now even uses a third party web service called web3auth that secures the key for users, i mean, lol, nostr devs worrying about their singular client app leaking secrets is quite laughable, and then on top to be complaining about then how signers, which are supposed to implement policies for signing, both bunkers and extension signers, i fail to see what the basis is for the complaint\n\ni'm inclined to even say that if i was to build a web based client (and i'm part way through building a bunker) that i'd probably retain the option of the user being able to sign in with an nsec\n\nthe danger of breach is way overblown, browsers are not as insecure as they were even just 5 years ago, and back in 2016 i was using a web app that signed events to publish to a blockchain forum system was all there and literally zero incidents of people losing control of keys. 9 years ago.",
"sig": "23de5ecd35bd322054b73b2e8105256669ac0378f04a6f94b6080934185b8135fea8800a8e580f76e7b29269370faaf64303238ecc1f726b103f681ba645c5c4"
}