For all the faults of current Fediverse software implementations, it at least gives more options than nostr. If you don't care about controlling your own identity, you can use someone else's server. Nostr doesn't give you that, it's all or nothing.
No thank you. That last thing anyone should want is governments holding ownership over their private keys.
Private companies are bad enough, but at least they won't declare you an undesirable for your political beliefs or religion or ethnicity or gender identity or sexual preference or whatever and shoot you in the head over it.
Except where governments and private companies collaborate, which of course happens (looking at you literally every American social media platform.)
There's certainly a middle ground. I'd like to have A WAY to authenticate with the US government, other than an in-person ID check or a random private company.
It would be great if governments provided the option to authenticate with third party PKI. Having a public option would be nice as well. Identity management and verification is a core competency of government, after all.
Neither do all EU member states (in case you mean that by "European") issue ID cards, nor do the ones that do universally enable them for digital signatures.
Many EU countries have existing e-signature rails completely independent from physical ID cards, which only have to conform to ICAO document verification standards (and these are intentionally not usable in an e-signature context).
German ID cards also support eID functionality on their citizen ID cards and even permanent resident ID cards, but ironically EU citizens are qualified for the issuance of neither, so they had to introduce another type of card for them to not run afoul of EU anti-discrimination laws.
All of this is currently pretty messy and there's only limited practical cross-country acceptance of eIDAS signatures, but is supposed to get unified under the banner of EUDI (EU Digital Identity) "wallets".
has been the case for Hungarian ID cards for a decade now, but it was never really used, except maybe by burorats in gov offices to access their systems.
but no one understands it, including the people who need to issue new signing keys.
it didn't get anywhere really. it was just a good opportunity for a lot of taxpayer money to... "lose its taxpayer money nature" (actual phrase by an actual politician when cornered by questions).
and now they are "moving on" to an app that must be installed on your phone to access more and more services.
ID2030 is roaring on worldwide... soon mandatory iris scans, vaccine implants, and who knows when they will try to roll out mandatory brain implants against thought crimes.
the more i think about the sign of the beast (as an atheist), the more sense it makes.
Normies manage their house keys just fine. Obviously crypto keys come with different challenges but that's a UX problem. People losing their house keys is not generally an Earth shattering event. Losing a crypto key doesn't have to be either.
A wallet is easier to lose than a bank vault, but it also holds less money for the same reason. Crypto keys can be designed the same way, with high importance keys managed by safer means like m of n schemes mixed with traditional "hard" storage in geographically distributed safe deposit boxes or whatever, while less important keys can be treated in a more relaxed fashion.
This analogy misses the entire system keeping house keys manageable. If you lose your keys, a locksmith can help you regain access cheaply and quickly because there’s an entire legal system allowing you to prove that you are the legitimate owner. The system you describe for crypto keys is not only significantly harder to use but also lacks that cushioned landing if any part of that fails. Any teenager with poor impulse control can toss a brick through the window and gain access to my house, maybe even grab the spare keys, but they couldn’t occupy it for very long or transfer it to a new owner, which is a significant risk mitigation compared to those crypto keys even before you consider how many more attackers you have to worry about online – there’s no real-world analog to some guy phishing someone on the other side of the planet to post ads or make fake reviews, secure in the knowledge that their local police don’t care.
>People losing their house keys is not generally an Earth shattering event.
yes because if you lose your house keys you don't lose your property, precisely because there is an entire legal and governmental apparatus securing it, the exact thing the crypto people first try get rid off and then reinvent (shoddily) when they inevitably discover that nobody wants to live in the jungle
Not really sure this analogy works since the usability of my house and everything in it is unrelated to having them. The house keys only make getting into my house easier.
> People seem to manage their whatsapp (or signal, etc) keys just fine.
The opposite is the case: WhatsApp and Signal manage the keys for them, mostly in the background (unless you actively verify identities).
You can try it yourself: Turn off your phone, ask a friend to send you a message, throw your phone into a volcano, reactivate your account on a new phone without entering any secret keys. You'll still receive the message.
I personally think that most of Signal's and even WhatsApp's tradeoffs are reasonable for a product with an adaption of hundreds of millions, but it's decidedly not cryptographic self-custody.
My point is that is this is not a trade-off but a complete violation of the principles that are used to justify the existence of nostr.
Nostr's whole shtick is about "users owning their keys". If I can not change the keys used on WhatsApp or Signal, I do not own them. They are not in the same class, so the comparison is moot.
I dont see any reason why an app approach cant support that.
But honestly one of the reasons why these sorts of apps dont take off, is they rigidly adhere to security properties that dont make sense and nobody really cares about, at the expense of making an unusable app.
> I dont see any reason why an app approach cant support that.
Matrix clients have e2ee encryption like Signal or WhatsApp.
Every single one of my close contacts that I have on my server have ignored or misunderstood the instructions to download and store the recovery key when they first access the servers.
I have customers on my support channel who keep trying different clients (Element, ElementX, Fractal) and every time they fail to validate their sessions.
Then I have customers who got their phone stolen and then come asking me to either delete the data on their phone.
---
There is no magic about "putting it in a app to manage it". If any "app approach" you come up with creates a sandbox between user and device, then the user can not even see their private keys, then they effectively do not own it.
If you are doing "nostr, but with keys sandboxed on the device", then you are just recreating Signal - which is not decentralized - then what's the point?
Sandboxing keys on the device is indeed removing one point of nostr, but to clarify on your point: The difference between Signal and Nostr is that in nostr there are hundreds of independent servers (relays) that your app broadcasts events to, whereas on Signal it's just one centralized server.
It is not about the difficulty, it's the potential consequences.
People also take care of their house keys and their wallets, but If I lose the keys to my house, it isn't automatically taken over by squatters and if I lose my ID card I can issue a new one quickly.
What happens if you lose the cryptographic key to your nostr account? Who do you call for help?
What happens when the key is lost, and the consequences like "lose all your money" or "lose your account access" are non-starters, as someone who owns a hardware key for my email account
Multi-sig wallets are even more complicated and not for normies
what happens if you lose your password? You click a link to reset it, and it gets sent to your email. What happens if you lose access to your email password?
