It's not intended as a form of verification and it's a shame clients may imply that it is.
Please, see this: https://hedgedoc.semisol.dev/ciXY6QE-Tx6CQZowDwcK4A
Or this:
quoting naddr1qv…ekay
What is NIP-05 really?
If you look at the spec, it’s a way to map Nostr public keys to DNS-based internet identifiers, such as
name@example.com.If you look at Nostr Plebs:
It’s a human readable identifier for your public key. It makes finding your profile on Nostr easier. It makes identifying your account easier.
If you look at basically any client, you see a checkmark, which you assume means verification.
If you ask someone, they probably will call it verification.
How did we get here?
Initially, there was only one client, which was (kind of) the reference implementation: Branle.
When it added support for NIP-05 identifiers, it used to replace the display name with the NIP-05 identifier, and it had to distinguish a NIP-05 from someone setting their display name to a NIP-05. So they added a checkmark…
Then there was astral.ninja and Damus: The former was a fork of Branle, and therefore inherited the checkmark. Damus didn’t implement NIP-05 until a while later, and they added a checkmark because Astral and other clients were doing it.
And then came new clients, all copying what the previous ones did… (Snort originally did not have a checkmark, but that changed later.)
The first NIP-05 provider
Long story short, people were wondering what NIP-05 is and wanted it, and that’s how Nostr Plebs came to be.
They initially called their service verification. Somewhere between January and February, they removed all mentions to verification except one (because people were searching for it), and publicly said that NIP-05 is not verification. But that didn’t work.
Then, there were the new NIP-05 providers, some understood perfectly what a NIP-05 identifier is and applied the correct nomenclature. Others misnamed it as verification, adding confusion to users. This made the problem worse on top of the popular clients showing checkmarks.
(from this point in the article we’ll refer to it as a Nostr address)
And so, the scams begin
Spammers and scammers started to abuse Nostr addresses to scam people:
- Some providers has been used by fake crypto airdrop bots.
- A few Nostr address providers have terminated multitude of impersonating and scam identifiers over the past weeks.
This goes to show that Nostr addresses don’t verify anything, they are just providers of human readable handles.
Nostr addresses can be proof of association
Nostr addresses can be a proof of association. The easiest analogy to understand is email:
jack@cash.app -> You could assume this is the Jack that works at Cash App.
jack@nostr-address-provider.example.com -> This could be any Jack.
What now?
We urge that clients stop showing a checkmark for all Nostr addresses, as they are not useful for verification.
We also urge that clients hide checkmarks for all domain names, without exception in the same way we do not show checkmarks for emails.
Lastly, NIP-05 is a nostr address and that is why we urge all clients to use the proper nomenclature.
Signed:
- Semisol, Nostr Plebs (semisol@nostrplebs.com)
- Quentin, nostrcheck.me (quentin@nostrcheck.me)
- Derek Ross, Nostr Plebs (derekross@nostrplebs.com)
- Bitcoin Nostrich, Bitcoin Nostr (BitcoinNostrich@BitcoinNostr.com)
- Remina, zaps.lol (remina@zaps.lol)
- Harry Hodler, nostr-check.com (harryhodler@nostr-check.com))
Anyone can buy a domain name, therefore anyone can get a NIP-05 identifier.
Just setting up a NIP-05 identifier does not prove an account is "legit".
Setting up, specifically, an identity associated with a domain name which is known to be legit may prove it, however, as long as the user actually verifies the domain (rather than relying on the useless and misleading "verified" sign that some clients may display).
See, also:
quoting nevent1q…fnrjSo, now I too have the "verified" badge, on clients that support NIP-05, thanks to Nostr-Check.com (npub1mha…9a4h) (huge props and kudos!).
I think it's important to note what it actually means.
When a profile has a "verified" badge, it does NOT mean the user is genuine. It does NOT mean it's not a (spam)bot. It does NOT mean it's not an impostor.
The only thing it means is that the user has a (currently) valid NIP-05 internet identifier which can (currently) be used as a mnemonic shorthand to their public key. It's all it means, there is nothing else to it.
Whether an account has or doesn't have an identifier says nothing good or bad about it.
My NIP-05 identifier is now "aspie96@Nostr-Check.com" (in the future it might be tied to my own domain).
It's all the badge means.