From 346704d7c8649a502c333627e864edf3a0f2fa02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=A1clav=20Navr=C3=A1til?= Date: Wed, 1 May 2024 20:33:26 +0200 Subject: [PATCH] NIP-85: Attestation of DNS-based identity providers --- 85.md | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 85.md diff --git a/85.md b/85.md new file mode 100644 index 0000000..52d8138 --- /dev/null +++ b/85.md @@ -0,0 +1,108 @@ + +NIP-85 +====== + +Attestation of DNS-based identity providers +-------------------------------------------- + +`draft` `optional` + +NIP-85 extends the well established NIP-05 in the way that clients would be able to verify not only the `` but also assess the `` part based on published attestations from other NIP-05 identity providers. This will allow clients to select trusted identity providers which then will extend to all of their attestees. + +#### Example + +If a client sees an event like this: + +```json +{ + "pubkey": "b0635d6a9851d3aed0cd6c495b282167acf761729078d975fc341b22650b07b9", + "kind": 0, + "content": "{\"name\": \"bob\", \"nip05\": \"bob@example.com\"}" + ... +} +``` + +It will make a GET request to `https://example.com/.well-known/nostr.json?name=bob` and get back a response that will look like + +```json +{ + "names": { + "bob": "b0635d6a9851d3aed0cd6c495b282167acf761729078d975fc341b22650b07b9" + }, + "attestators": { + "bob@example.com": [ "https://example1.net", "https://example2.org" ], + "example.com": [ "https://nip-provider1.test", "https://example3.info" ] + } +} +```` + +or with the **recommended** `"relays"` attribute: + +```json +{ + "names": { + "bob": "b0635d6a9851d3aed0cd6c495b282167acf761729078d975fc341b22650b07b9" + }, + "relays": { + "b0635d6a9851d3aed0cd6c495b282167acf761729078d975fc341b22650b07b9": [ + "wss://relay.example.com", + "wss://relay2.example.com" + ] + }, + "attestators": { + "bob@example.com": [ "https://example1.net", "https://example2.org" ], + "example.com": [ "https://nip-provider1.test", "https://example3.info" ] + } +} +```` + +If the pubkey matches the one given in `"names"` (as in the example above) that means the association is right and the client can continue to verify attestations from the `"attestators"` attribute contains an object with two optional attributes. One equal to the (`` and ``) `"nip05"` identifier with value consisting of an array of URLs of attestators atesting this individual `"nip05"` identifier. The second attribute is equal to the `` and the value is an array of URLs attesting the whole `` of the DNS-based identity provider. + +### Attestation verification + +Attestation can be conducted on an individual level for a specific `"nip05"` identifier or for a whole domain. The differentiator between individual and domain attestation request is the occurrence of `@` in the value of the `"attest"` URL parameter. + +#### Individual attestation verification + +Client will make a GET request to `https://example1.net/.well-known/nostr.json?attest=bob@example.com` and get back a response that will look like: + +```json +{ + "attestations": { + "bob@example.com": "b0635d6a9851d3aed0cd6c495b282167acf761729078d975fc341b22650b07b9" + }, + "attestators": { + "example1.net": [ "https://well-known-nip-provider.test", "https://nip-provider2.test" ] + } +} +```` + +The response contains a JSON document object with one mandatory `"attestations"` and one optional `"attestators"` attribute. In `"attestations"` if the public key for the given `"nip05"` matches the previously received `pubkey`, the client then concludes that the given `"nip05"` is attested by this provider. + +The optional `"attestators"` attribute can contain an object with `` attribute and value as an array of URLs attesting the whole `` of the DNS-based identity provider allowing recursive domain attestation. + +#### Domain attestation verification + +Client will make a GET request to `https://nip-provider1.test/.well-known/nostr.json?attest=example.com` and get back a response that will look like: + +```json +{ + "attestations": { + "example.com": true + }, + "attestators": { + "nip-provider1.test": [ "https://another-known-nip-provider.test", "https://nip-provider3.test" ] + } +} +```` + +The response contains a JSON document object with one mandatory `"attestations"` and one optional `"attestators"` attribute. In `"attestations"` if the attribute matches the requested `` and the value is `true`, the client then concludes that the whole `` is attested by this provider. + +The optional `"attestators"` attribute can contain an object with `` attribute and value as an array of URLs attesting the whole `` of the DNS-based identity provider allowing recursive domain attestation. + +### Notes +Clients should track the recursive requests to the attestators domains to prevent infinite loops of recursive attestations. + +Client should keep requesting attestation until a link between atteste and the trusted identity provider is established, all attestation options are exhausted or an attestation limit set by the client is reached. + +For implementation clients can use different colors and or emojis to display the `"nip05"` validity and attestation status. For example gold check-mark for fully attested, blue check-mark for valid but not attested and red cross for invalid `"nip05"` identities.