sethforprivacy
commented
1 year ago Example QR code for testing:
Closed sethforprivacy closed 11 months ago
sethforprivacy
commented
1 year ago Example QR code for testing:
alltheseas
commented
1 year ago Can you add bounty and bounty amount in sats to the issue title
sethforprivacy
commented
1 year ago Can you add bounty and bounty amount in sats to the issue title
Done!
jb55
commented
1 year ago When scanning from QR, do we not want it saved in the keychain ?
sethforprivacy
commented
1 year ago When scanning from QR, do we not want it saved in the keychain ?
We went back and forth on that type of functionality in the Amethyst issue linked, I think both storing and not storing have valid reasons behind them. I personally wouldn't want it stored in the Keychain, but I'll leave that final choice to you.
jb55
commented
1 year ago On Tue, Aug 01, 2023 at 05:30:18AM -0700, Seth For Privacy wrote:
When scanning from QR, do we not want it saved in the keychain ?
We went back and forth on that type of functionality in the Amethyst issue linked, I think both storing and not storing have valid reasons behind them. I personally wouldn't want it stored in the Keychain, but I'll leave that final choice to you.
I think QR-scan workflows should not store in keychain. I assume people who are using qrcode are doing it for a specific reason, like keeping it offline, even if damus does retain it in memory during the session.
alltheseas
commented
1 year ago The analogy that comes to mind is a yubikey. Key can be set up as requirement for authentication.
jerihass
commented
11 months ago Here is what I've put together. It might need a little bit of design work, but it will:
The video recording doesn't show filled in secure fields (Apple's video recording implementation).
https://github.com/damus-io/damus/assets/77637794/bf807d9d-aa93-4ecd-a653-16f44844708d
jb55
commented
11 months ago On Sat, Sep 30, 2023 at 08:06:05AM -0700, jerihass wrote:
Here is what I've put together. It might need a little bit of design work, but it will:
- Allow scanning of QR codes, and if detects a nsec, will provide it to the login prompt.
- If nsec is provided, provides option to keep nsec in keychain; default is to not store
- User stays logged in until they logout, or app is force-quit.
The video recording doesn't show filled in secure fields (Apple's video recording implementation).
https://github.com/damus-io/damus/assets/77637794/bf807d9d-aa93-4ecd-a653-16f44844708d
looks great! maybe design wise we can make it a little QR icon instead of a button
alltheseas
commented
11 months ago Nice @jerihass !
Have you tested with other hardware signing devices (do other HSDs support nostr keys)?
jerihass
commented
11 months ago Nice @jerihass https://github.com/jerihass !
Thanks! Have you tested with other hardware signing devices (do other HSDs support nostr keys)?
I haven’t tested on anything besides the photo of the qr code.
If we want to support other login methods, I can start to make this a protocol, or really it should end up being a library/framework for any iOS nostr client to use. I don’t have access to any HSDs (new job and rough economic situation prevent me from securing one at this at this time).
alltheseas
commented
11 months ago @kdmukai does seedsigner have a nsec qr display feature?
jerihass
commented
11 months ago Updated screens.
jb55
commented
11 months ago On Sat, Sep 30, 2023 at 02:16:48PM -0700, jerihass wrote:
Updated screens.
I was thinking more next to the paste nsec button, gray. This doesn't need to be a primary action button.
jerihass
commented
11 months ago I was thinking more next to the paste nsec button, gray. This doesn't need to be a primary action button.
Good. Makes more sense. Easy change to make!
jerihass
commented
11 months ago jb55
commented
11 months ago On Sun, Oct 01, 2023 at 03:49:06AM -0700, jerihass wrote:
I like 3rd one
kdmukai
commented
11 months ago @kdmukai does seedsigner have a nsec qr display feature?
I forget what my experimental nostr branch supported, but I suspect the answer is no. The goal was to apply the SeedSigner philosophy in the nostr world, so it was more about signing delegations with an airgapped key that's never made hot.
sethforprivacy
commented
11 months ago @jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
alltheseas
commented
11 months ago @jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
jerihass
commented
11 months ago @jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
npub1el277q4kesp8vhs7rq6qkwnhpxfp345u7tnuxykwr67d9wg0wvyslam5n0
Thanks! 🙏
sethforprivacy
commented
11 months ago @jb55 who should the bounty be sent to here? Want to be sure it gets to the right person!
@jerihass what's your npub/LNaddress ?
npub1el277q4kesp8vhs7rq6qkwnhpxfp345u7tnuxykwr67d9wg0wvyslam5n0
Thanks! 🙏
Sent!
jerihass
commented
11 months ago Sent!
Received!
One of the core issues with Nostr today is that generating and storing a Nostr private key is cumbersome and insecure by default. A solution to one of the problems (namely secure storage and backups) is to generate and store private keys on a secure hardware device (like Foundation's Passport) and export it only when necessary to sign into an app like Damus.
This simplifies backups (keys are derived from a master seed via the same approach as BIP 85) and allows you to never store your key in a password manager, text file, etc.
This can be implemented by allowing users to scan in the nsec formatted key via QR code when logging into Damus.
Bounty (in sats) offered for the implementation I'm offering 100,000 sats for this once implemented and usable in Damus.
Total bounty (as of June 13th): 100,000 sats
Related Amethyst issue:
https://github.com/vitorpamplona/amethyst/issues/328
Note that this is working in Amethyst today, so can be used for UX comparisons etc.