- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 8 Aug 2025 18:46:09 +0200
- To: public-nostr@w3.org
- Message-ID: <CAKaEYhLihnf5ZAbDS558e-qaiZEa1-iTTcMHG33Gr0Ldv_hStw@mail.gmail.com>
Library: https://github.com/nostrapps/bech32-label Demo: https://nostrapps.github.io/bech32-label/ pá 8. 8. 2025 v 18:16 odesílatel Melvin Carvalho <melvincarvalho@gmail.com> napsal: > Hi all, > > To reduce cross-tenant XSS/CSRF risk, I’d like to standardize a simple > per-identity subdomain convention so each user’s data lives on its own > origin (separate cookies, localStorage, Service Workers, caches). > > Proposal: > > Input: 32-byte Nostr pubkey. > > Encoding: bech32 data-only (same alphabet as npub), no HRP, no checksum. > > Rule: convert 8→5 bits MSB-first with zero-padding; map to the bech32 > charset; result is exactly 52 lowercase chars. > > Usage: <52-char-label>.<provider-domain> as the storage origin. > > Why not other encodings? > > 64-char hex can’t be a single DNS label—label max is 63, so it’s one > character too long. > > Full npub… is display-friendly but not ideal as a normative origin ID. It > carries an HRP/checksum that isn’t tied to cryptographic versioning (e.g., > bech32 vs bech32m / taproot semantics), so it’s not future-proof. Perhaps > best treated as UI display only. > > Benefits: deterministic, DNS-safe, reversible, widely familiar to the > Nostr community (same bech32 alphabet), and easy to implement > consistently—satisfying the Test of Independent Invention. > > If there’s interest, I can share a tiny draft (spec + test vectors + JS > helper) for review. > > Best, > Melvin >
Received on Friday, 8 August 2025 16:46:25 UTC