Re: http-schnorr-sig -- HTTP Authentication Using Schnorr Signatures

čt 19. 9. 2024 v 20:59 odesílatel John O'Hare <J.OHare5@salford.ac.uk>
napsal:

> This is really interesting and good to see, thanks. It all speaks to some
> cross integration and design issues I have been circling round for a while.
>

Thanks for the thoughtful feedback.


>
> Regarding the potential merging / conflating of NIP 96 and 98, I worry
> that the simplicity of nostr is such a core feature of the protocol, and
> this might allow waste / creep / divergence.
>

On NIP-96 and NIP-98, I share your concern about keeping nostr simple.
Right now, we're focusing on NIP-98, and while the hash for multi-part
uploads connects them, it's only come up once, so maybe not a major issue
yet.


>
> Personally, the ability to commit small amounts of data in one go would be
> a huge boon to me, perhaps reduce some latency in complex exchanges. Is
> there a way to make them independent but interconnected in such a way that
> it could form an extension to the auth later if there's a significant
> demand or usecase?
>

Regarding small data commits, yes, HTTP PUT works well for this, and
Schnorr auth can tie into any HTTP verb, enabling both large and small data
exchanges. I've been integrating this with Solid [1] for small file
handling and login—here's a short video demo (apologies for the cheesy 90s
music!):

https://melvin.solid.social/public/schnorr.mp4

Best,
Melvin

Best
Melvin

[1] https://solidproject.org/


>
> Thanks,
>
> John
>
>
> --
> Chief Hallucination Officer - Dreamlab
> <https://narrativegoldmine.com/#/page/introduction%20to%20me>
> ------------------------------
> *From:* Melvin Carvalho <melvincarvalho@gmail.com>
> *Sent:* 19 September 2024 13:56
> *To:* public-nostr@w3.org <public-nostr@w3.org>
> *Subject:* Re: http-schnorr-sig -- HTTP Authentication Using Schnorr
> Signatures
>
>
> Hi all,
>
> Thanks for the feedback so far. I've received three pieces of concrete
> input:
>
>    1. From the Solid OS team — they've implemented Schnorr signatures for
>    chat, but not login. It would be useful to include the WebID in the auth
>    string, so both the key and WebID can be verified.
>    2. Kieran (co-author of NIP-98) suggested improving the description of
>    how events are signed.
>    3. Brugeman pointed out that "serialized event" is mentioned a few
>    times without specifying the serialization method.
>
> I’ve raised issues for these here:
> https://github.com/nostrcg/http-schnorr-auth/issues
>
> Let’s aim to fix these in the next draft, probably this week or early next.
> Happy to get more feedback anytime, either publicly or privately.
>
> Best,
> Melvin
>
> ne 15. 9. 2024 v 8:19 odesílatel Melvin Carvalho <melvincarvalho@gmail.com>
> napsal:
>
> Hi all,
>
> Hope you're doing well.
>
> I've been working on a draft specification titled "HTTP Authentication
> Using Schnorr Signatures". It explores using Schnorr signatures to
> authenticate HTTP requests, aiming for a decentralized and secure
> authentication method that could benefit web applications.
>
> You can check out the draft here:
>
> https://nostrcg.github.io/http-schnorr-auth/
>
> The ongoing discussion on multi-part payloads [1] has not (yet) been
> addressed.  But this can be added if there is interest.
>
> Would love to hear your thoughts and get some discussion going. Any
> feedback or suggestions are most welcome.
>
> Looking forward to collaborating with you all on this.
>
> Cheers,
>
> Melvin
>
> [1] https://lists.w3.org/Archives/Public/public-nostr/2024Aug/0000.html
>
>

Received on Monday, 23 September 2024 17:13:10 UTC