nips/22.md

NIP-22
======

Key Migration
-------------

`draft` `optional`

`Kind:18` informs the network that the owner of the pubkey is migrating to a new key. 

The event MUST contain a single `p` tag with the new pubkey owner will be using. 

```js
{
  "kind": 18,   
  "tags": [
    ["p", "<pubkey>", "<relay_url>"],
  ],
  "content": "<comment to followers>"
  //...
}
```

## Confirmation Chains

Since the owner's keys might have leaked and `kind:18`s might come from attackers, `kind:18`s **alone** can't be trusted. 

Close acquaintances to the owner should verify the owner's intention off nostr and signal their conclusion by adding the new key to their contact lists. 

Others may choose to follow suit based on their trust in such acquaintances.

## Interpretation

The presence of one or more `kind:18`s, no matter who writes it, declares the key to be out of use, unreliable, unsafe, and potentially stolen: No event, past and future, from this key can be trusted anymore.  

Users that have a `kind:18` published by their keys MUST migrate to a new key. 

There can be multiple `kind:18`s pointing to separate new keys. Finding which event is the right one requires observing contact lists of trusted keys.

## Information Retention

Clients SHOULD send `kind:18` to as many relays as possible, not only to the owner's relay list.  

Relays and Clients MUST reject Event Deletion ([NIP-09](09.md)) requests of `kind:18`s.

Clients SHOULD use Generic Reposts (`kind:16`) to warn followers and improve `kind:18`'s retention on relays. Generic Reposts MUST include a JSON-stringified version of the `kind:18` in its `.content` and a `k`-tag set to `18`

Generic Repost events MUST NOT be considered a user's final decision on which key to switch to. Contact lists are the only source of confirmation.  

## Client Behavior

Upon receiving a new `kind:18`, Clients MUST warn their user the pubkey is unsafe. 

Clients MAY download follow lists of follows and display when a follow has switched to a new key. 

It's ok to delay confirmation until trusted keys start informing their assessments.

Upon confirmation, Clients SHOULD offer transition to the new key by: 
1. Changing the contact list accordingly
2. Changing any NIP-51 list accordingly 
3. Adding the old key to the Mute List
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00			`NIP-22`
			`======`

Changing the name 2024-02-16 10:12:53 -05:00			`Key Migration`
			`-------------`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
			`draft` `optional`

minor adjustments 2024-02-17 18:01:59 -05:00			`Kind:18` informs the network that the owner of the pubkey is migrating to a new key.
Improves the wording 2024-02-17 17:56:33 -05:00
			The event MUST contain a single `p` tag with the new pubkey owner will be using.
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
			```js
			`{`
minor text adjusments 2024-02-16 10:22:03 -05:00			`"kind": 18,`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00			`"tags": [`
			`["p", "<pubkey>", "<relay_url>"],`
			`],`
			`"content": "<comment to followers>"`
			`//...`
			`}`
			```

Improves the wording 2024-02-17 17:56:33 -05:00			`## Confirmation Chains`

slightly improving text 2024-02-18 12:25:33 -05:00			Since the owner's keys might have leaked and `kind:18`s might come from attackers, `kind:18`s alone can't be trusted.
Improves the wording 2024-02-17 17:56:33 -05:00
			`Close acquaintances to the owner should verify the owner's intention off nostr and signal their conclusion by adding the new key to their contact lists.`
Adds clarification that kind18 alone cannot be trusted Adds clarification that this requires web of trust validation Adds k-tag to generic reposts Adds optional behavior to client. 2024-02-17 17:50:50 -05:00
minor adjustments 2024-02-17 18:01:59 -05:00			`Others may choose to follow suit based on their trust in such acquaintances.`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
			`## Interpretation`

minor adjustments 2024-02-17 18:01:59 -05:00			The presence of one or more `kind:18`s, no matter who writes it, declares the key to be out of use, unreliable, unsafe, and potentially stolen: No event, past and future, from this key can be trusted anymore.
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
			Users that have a `kind:18` published by their keys MUST migrate to a new key.

Improves the wording 2024-02-17 17:56:33 -05:00			There can be multiple `kind:18`s pointing to separate new keys. Finding which event is the right one requires observing contact lists of trusted keys.
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
minor adjustments 2024-02-17 18:01:59 -05:00			`## Information Retention`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
Adds clarification that kind18 alone cannot be trusted Adds clarification that this requires web of trust validation Adds k-tag to generic reposts Adds optional behavior to client. 2024-02-17 17:50:50 -05:00			Clients SHOULD send `kind:18` to as many relays as possible, not only to the owner's relay list.

			Relays and Clients MUST reject Event Deletion ([NIP-09](09.md)) requests of `kind:18`s.
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
slightly improving text 2024-02-18 12:25:33 -05:00			Clients SHOULD use Generic Reposts (`kind:16`) to warn followers and improve `kind:18`'s retention on relays. Generic Reposts MUST include a JSON-stringified version of the `kind:18` in its `.content` and a `k`-tag set to `18`
Adds clarification that kind18 alone cannot be trusted Adds clarification that this requires web of trust validation Adds k-tag to generic reposts Adds optional behavior to client. 2024-02-17 17:50:50 -05:00
slightly improving text 2024-02-18 12:25:33 -05:00			`Generic Repost events MUST NOT be considered a user's final decision on which key to switch to. Contact lists are the only source of confirmation.`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
			`## Client Behavior`

			Upon receiving a new `kind:18`, Clients MUST warn their user the pubkey is unsafe.

minor adjustments 2 2024-02-17 18:10:37 -05:00			`Clients MAY download follow lists of follows and display when a follow has switched to a new key.`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00
minor adjustments 2 2024-02-17 18:10:37 -05:00			`It's ok to delay confirmation until trusted keys start informing their assessments.`
Adds clarification that kind18 alone cannot be trusted Adds clarification that this requires web of trust validation Adds k-tag to generic reposts Adds optional behavior to client. 2024-02-17 17:50:50 -05:00
minor adjustments 2 2024-02-17 18:10:37 -05:00			`Upon confirmation, Clients SHOULD offer transition to the new key by:`
Simple key rotation procedure with web of trust. 2024-02-16 10:06:52 -05:00			`1. Changing the contact list accordingly`
			`2. Changing any NIP-51 list accordingly`
minor text adjusments 2024-02-16 10:22:03 -05:00			`3. Adding the old key to the Mute List`