Trusting rumors by entirely trusted relay list

[nanikamado]

I'm a developer of Momostr, another Nostr-Fediverse bridge.

After discussions with some Fediverse users, I decided to require Nostr users to register their pubkeys to use the bridge, and block both read and write access for those who are not registered, like a paid relay.

Not only that, I want to make it impossible for events in the bridge relay to be broadcast to other relays, even if it compromises compatibility.

The "-" tag is not enough for my use case.

I have implemented this NIP on my relay already nanikamado/rockstr@f968149.

I'm planning to fork a web client and implement this NIP on it, but first I'd like to hear what you guys think.

[Semisol]

Not only that, I want to make it impossible for events in the bridge relay to be broadcast to other relays, even if it compromises compatibility.

It is a client defect to ignore the - tag or do unintended rebroadcasts.

[nanikamado]

That's true, but support for NIP-70 is optional, and I want to make it literally impossible.

[fiatjaf]

How does this make it literally impossible for a relay to host public content?

[nanikamado]

"literally impossible" might be an exaggeration, but most relays and clients verify signatures.

I want to minimize the possibility of someone who does not know about the bridge finding a bridged account and getting confused.

[vitorpamplona]

I have coded something similar last year to host internal comms for a company. While the scheme works, you need to realize that in the same way that you are asking clients to not verify, other relays can also opt to not verify those rumors. If enough relays do that, your unsigned database will be broadcast just like if they had a signature. There could be whole ecosystems of clients and relays that don't verify anything. And your rumors would flow on those servers in the same way signed messages flow today, defeating the purpose of this NIP. I gave up on that idea because I started to see these tools being developed as company-owned scripts. Once you get enough of them it becomes a treat to everything we dear valuable in Nostr.

In the end, Nostr is simply not designed to control the spread of its data. In many ways, Nostr's whole point is quite the opposite: to not offer any opportunity for relays to control the ownership of the data. I read your discussion with ActivePub folks and they have a need to control it. I find those two worlds impossible to bridge. Since Nostr cannot offer any tool to control the dissemination of data, it will be up to active pub users to change their mind and allow others to have their data. But that to me defeats the whole purpose of using ActivePub in the first place.

[pablof7z]

In the end, Nostr is simply not designed to control the spread of its data. In many ways, Nostr's whole point is quite the opposite: to not offer any opportunity for relays to control the ownership of the data. I read your discussion with ActivePub folks and they have a need to control it. I find those two worlds impossible to bridge. Since Nostr cannot offer any tool to control the dissemination of data, it will be up to active pub users to change their mind and allow others to have their data. But that to me defeats the whole purpose of using ActivePub in the first place.

Very well put. Completely agree. There are points of view that can't be reconciled; thinking you can have something digitally that can't be endlessly copied being one of them. It is quite literally retarded, as torrents and so many other things have proven over and over.

You don't own your data. On nostr or anywhere else. That makes no sense.

[pablof7z]

(saying this about the fediverse people, not about the author of this PR btw! 😂 the idea of stripping signatures has been entertained by many of us!)

[staab]

I like this as an escape hatch when deniability is desirable. It shouldn't be considered a privacy tool, but it is useful for things that live in a gray area, like community-exclusive content. I'm planning to use rumors in flotilla, where if a relay is publishing rumors I'll ask the user to confirm if they want to trust the relay. This event would be a good way to record that trust.

Small criticisms: I don't know if the alt tag requirement is a great solution for the problem it's intended to solve. It would also be nice to be able to publish trusted relay lists privately by encrypting stuff into the content, similar to NIP 51 lists. In fact, this could probably just be an addition to that NIP.

That said, I do think Vitor makes a good point that too liberal implementation of this would undermine the protocol's integrity. But I also think that signed data is one of nostr's biggest benefits; if people don't want to check signatures that's a huge handicap. But there are times when it's very reasonable to skip signature checking.

[nanikamado]

if a relay is publishing rumors I'll ask the user to confirm if they want to trust the relay. This event would be a good way to record that trust.

Small criticisms: I don't know if the alt tag requirement is a great solution for the problem it's intended to solve. It would also be nice to be able to publish trusted relay lists privately by encrypting stuff into the content, similar to NIP 51 lists. In fact, this could probably just be an addition to that NIP.

The person who publishes this event is the one who wants to publish rumors, not the one who wants to read rumors. So this is not an event for saving client settings.

The explanation of the Client Behavior wasn't very clear so I fixed it.

[nanikamado]

you need to realize that in the same way that you are asking clients to not verify, other relays can also opt to not verify those rumors.

@vitorpamplona Are you saying that a weirdo can edit their relay code so that every time it receives a rumor, it would do the check I wrote in the Client Behavior, even though most clients do not trust those rumors?

That's true but I don't think enough relays would do that.

[vitorpamplona]

My experience is that once you start protecting content there is an immediate desire by devs and users to unprotect that content. But maybe it's just me.

[nanikamado]

Any motivation to do that?

If you just want to read content from my relay, you can do so just by registering your pubkey. If you need an open fedi bridge, you can just use mostr.pub.

[staab]

The person who publishes this event is the one who wants to publish rumors, not the one who wants to read rumors.

Oh, I see. I take back my approval, in normal cases events should be signed by the author and signatures stripped only by an intermediary trusted by the receiving party. I see why you'd want to do this for a bridge, but I don't think it's a good idea for the reasons @vitorpamplona cited.