Just bringing this here as I already tagged folks on both sides anyway, lol.
https://github.com/nostr-protocol/nips/pull/1335
Having a quick glance at this, it looks like the perfect counterpart to what Quokka (he/they) (nprofile…a3yk) is doing above, as Keyoxide also uses the OPENPGP4FPR scheme to validate what on their side will be the proof (and on Nostr’s side will be the proof). The difference is that with what I'm proposing above, you don't need to include the full PGP key or signed proof in the `i` field, just a OPENPGP4FPR format URL with the fingerprint and a link to where the key can be downloaded (i.e., a direct link to an .asc file, a PGP key server, or an email address from a domain with a working WKD).
That way, you solve the “PGP keys can be big” problem and get better proof, as it’ll be embedded in the key itself (and can easily be "revoked" by simply deleting the notation from the key. Even if you lost access to your Nostr key).
And of course, you can generalise this to include other certificates linked via notations as well. For example, here’s my Keyoxide profile:
https://keyoxide.org/1bbdc23d1853255d6415d2ec814edf851aab370e
Everything you see there is assembled starting from UIDs + notations in my PGP key. I could easily link a new UID, or even another PGP key, say for haven@bitvora.com and sign a sha256sum of Haven's binaries with it, Linux ISO style (actually, utxo the webmaster 🧑💻 (nprofile…6u4e), this is exactly what I'm planning to do, just so you're aware :)). I'm pretty sure we can come up with a good notation for Zapstore and Android stuff too.
Have a look when you have a chance:
https://docs.keyoxide.org/openpgp-profiles/gnupg/
Anthony Accioly
npub1a6…w0tyc
2025-06-22 19:23:04
in reply to nevent1q…6hhe
Author Public Key
npub1a6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajq7w0tycPublished at
2025-06-22 19:23:04Event JSON
{
"id": "19c6c08c99cbdca8809de8db817ac324c28d9254d882cce7d373bb6d4f97f1a5",
"pubkey": "ee9d979e7e1418a9f7472baf82dc96082a0d4251b77bcb170a6ecec93fadff64",
"created_at": 1750620184,
"kind": 1,
"tags": [
[
"e",
"710e9b0ce8b4f6500e1fc16829d2f5ee0835b657dbdeae5dab2b7a8fb970e826",
"",
"root"
],
[
"e",
"03118ede270fb301f520d47c6073ad56c7d536f39730dd86bd3893824f2349a3"
],
[
"e",
"2400df3bfb2c0e25f248b9140f86e089a6a6f9bd09d401c96d130a8b3254ba2b",
"",
"reply"
],
[
"p",
"52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd"
],
[
"p",
"3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
],
[
"p",
"419de831d630eb350f17cc4ee280dcee51f530c53ca14b4c1ac047831e6db927",
"",
"mention"
],
[
"p",
"ee9d979e7e1418a9f7472baf82dc96082a0d4251b77bcb170a6ecec93fadff64"
],
[
"p",
"726a1e261cc6474674e8285e3951b3bb139be9a773d1acf49dc868db861a1c11"
],
[
"p",
"78ce6faa72264387284e647ba6938995735ec8c7d5c5a65737e55130f026307d"
],
[
"p",
"e2ccf7cf20403f3f2a4a55b328f0de3be38558a7d5f33632fdaaefc726c1c8eb",
"",
"mention"
],
[
"r",
"https://github.com/nostr-protocol/nips/pull/1335"
],
[
"r",
"https://keyoxide.org/1bbdc23d1853255d6415d2ec814edf851aab370e"
],
[
"r",
"haven@bitvora.com"
],
[
"r",
"https://docs.keyoxide.org/openpgp-profiles/gnupg/"
]
],
"content": "Just bringing this here as I already tagged folks on both sides anyway, lol.\n\nhttps://github.com/nostr-protocol/nips/pull/1335\n\nHaving a quick glance at this, it looks like the perfect counterpart to what nostr:nprofile1qqsyr80gx8trp6e4putucnhzsrwwu504xrzneg2tfsdvq3urrekmjfcppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep093a3yk is doing above, as Keyoxide also uses the OPENPGP4FPR scheme to validate what on their side will be the proof (and on Nostr’s side will be the proof). The difference is that with what I'm proposing above, you don't need to include the full PGP key or signed proof in the `i` field, just a OPENPGP4FPR format URL with the fingerprint and a link to where the key can be downloaded (i.e., a direct link to an .asc file, a PGP key server, or an email address from a domain with a working WKD).\n\nThat way, you solve the “PGP keys can be big” problem and get better proof, as it’ll be embedded in the key itself (and can easily be \"revoked\" by simply deleting the notation from the key. Even if you lost access to your Nostr key).\n\nAnd of course, you can generalise this to include other certificates linked via notations as well. For example, here’s my Keyoxide profile:\n\nhttps://keyoxide.org/1bbdc23d1853255d6415d2ec814edf851aab370e\n\nEverything you see there is assembled starting from UIDs + notations in my PGP key. I could easily link a new UID, or even another PGP key, say for haven@bitvora.com and sign a sha256sum of Haven's binaries with it, Linux ISO style (actually, nostr:nprofile1qqsw9n8heusyq0el9f99tveg7r0rhcu9tznatuekxt764m78ymqu36cpr3mhxue69uhhyetvv9ujucnfw33k76twwpshy6ewvdhk6tcpzdmhxue69uhhwmm59e6hg7r09ehkuef0qy2hwumn8ghj7un9d3shjtn4w3ux7tn0dejj7ne6u4e, this is exactly what I'm planning to do, just so you're aware :)). I'm pretty sure we can come up with a good notation for Zapstore and Android stuff too.\n\nHave a look when you have a chance:\n\nhttps://docs.keyoxide.org/openpgp-profiles/gnupg/",
"sig": "3d03f64b51979c0c7d86867104781bffc0a784b00be6468e3154192dce5fc8f87c208e6a1f5496ce678810af5c224ffa23036ddc9d74c2f1934e1a90632d132e"
}