An interesting revelation I had when talking to fishcake (nprofile…f372) about nostr.build's new OTP using NIP-17 Giftwrapped DMs:
The OTP code is sent to the user only. The sender/server doesn't store a copy of the code. That is impossible to do on NIP-04.
If you send OTP via NIP-04, whoever has accept to the sender's key can decrypt and see all the codes. If you use NIP-17 DMs, the code is sent to the user and deleted from everything else.
Vitor Pamplona
npub1gc…fnj5z
2024-10-17 13:49:00
Author Public Key
npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5zPublished at
2024-10-17 13:49:00Event JSON
{
"id": "e5ab5cbf80da1de7a94f33cdee5db250fe20a1a8c07d35f3f14beee577a89fff",
"pubkey": "460c25e682fda7832b52d1f22d3d22b3176d972f60dcdc3212ed8c92ef85065c",
"created_at": 1729172940,
"kind": 1,
"tags": [
[
"p",
"8fb140b4e8ddef97ce4b821d247278a1a4353362623f64021484b372f948000c",
"",
"mention"
],
[
"r",
"nostr.build"
]
],
"content": "An interesting revelation I had when talking to nostr:nprofile1qqsglv2qkn5dmmuhee9cy8fywfu2rfp4xd3xy0myqg2gfvmjl9yqqrqppamhxue69uhk2tnwdaejumr0dsq3qamnwvaz7tmwdaehgu3wd3skueqpz3mhxue69uhhyetvv9ujuerpd46hxtnfduekf372 about nostr.build's new OTP using NIP-17 Giftwrapped DMs: \n\nThe OTP code is sent to the user only. The sender/server doesn't store a copy of the code. That is impossible to do on NIP-04. \n\nIf you send OTP via NIP-04, whoever has accept to the sender's key can decrypt and see all the codes. If you use NIP-17 DMs, the code is sent to the user and deleted from everything else.",
"sig": "0479020d1b658ba9bb9e21574e7ef8d86e472d7d5996b1982526d235ce9344da618de4ad22b27269f8b9ae4c6f9cf40566b405b8f4e4fef19bfd3068dd6bfe0b"
}