Changes based on feedback

author: Mark Harding <mark@minds.com> 2022-08-24 13:24:50 +0100
committer: Mark Harding <mark@minds.com> 2022-08-24 13:24:50 +0100
commit: 78522b50a11ceca943a028fb4be2d10658d563a5 (patch)
tree: 1ef4c67de9781655b88729c15fdb97bc2de6dcf0 /26.md
parent: e13f6d39b954764ae4d8a4478f3e9b62fe74e5ab (diff)
1 files changed, 32 insertions, 46 deletions
diff --git a/26.md b/26.md
index 17255e2..4557875 100644
--- a/26.md
+++ b/26.md
@@ -4,77 +4,63 @@ NIP: 26
 Delegated Event Signing
 -----
-`draft` `mandatory` `author:markharding` `author:minds`
+`draft` `optional` `author:markharding` `author:minds`
-This NIP defines how events should be verified and signed to support generating events on behalf of someone else. It should be possible to sign Nostr events from other keypairs.
+This NIP defines how events can be delegated so that they can be signed by other keypairs.
 Another application of this proposal is to abstract away the use of the 'root' keypairs when interacting with clients. For example, a user could generate new keypairs for each client they wish to use and authorize those keypairs to generate events on behalf of their root pubkey, where the root keypair is stored in cold storage. 
-#### Introducing the 's' tag
+#### Introducing the 'delegation' tag
-This NIP introduces a new tag: `s` which is formatted as follows:
+This NIP introduces a new tag: `delegation` which is formatted as follows:
 ```json
 [
-  "s",
+  "delegation",
-  <signed pairing payload (base64 encoded)>,
+  <pubkey of the delegator>,
-  <signed pairing signature (64-bytes shnnorr signature of the sha256 hash of the signed pairing payload>
+  <conditions query string>,
+  <64-bytes schnorr signature of the sha256 hash of the delegation token>
 ]
 ```
-##### Signed Pairing Payload
+##### Delegation Token
-The Signed Pairing Payload should be a `base64` encoded JSON object as follows: 
+The **delegation token** should be a 64-bytes schnorr signature of the sha256 hash of the following string:
-```json
+```
-{
+nostr:delegation:<pubkey of publisher (delegatee)>:<conditions query string>
-  "signerkey": <32-bytes hex-encoded public key of who is authorized to sign>,
-  "created_at": <unix timestamp of issued time>,
-  "expires_at": <optional, if present unix timestamp of invalidation time>
-}
 ```
-For example, the Signed Pairing Payload `eyJzaWduZXJrZXkiOiI2MjkwM2IxZmY0MTU1OWRhZjllZTk4ZWYxYWU2N2NjNTJmMzAxYmI1Y2UyNmQxNGJhYmEzMDUyZjY0OWMzZjQ5IiwiY3JlYXRlZF9hdCI6MTY1OTQ0NjMxNX0=` consists of the payload:
+For example, the token `c33c88ba78ec3c760e49db591ac5f7b129e3887c8af7729795e85a0588007e5ac89b46549232d8f918eefd73e726cb450135314bfda419c030d0b6affe401ec1` is signed by `86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e` and consists of:
 ```json
-{
+nostr:delegation:62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49:kind=1&created_at>1640995200
-  "signerkey": "62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49",
-  "created_at": 1659446315
-}
 ```
-##### Signed Pairing Signature
-The Signed Pairing Signature is a schnorr signature of the sha256 hash of the Signed Pairing Payload. For example `2ed3e4b8470ce37b7e1946441a323d1d71c8a846fe49787ec406e14a44632cc96e48cabccc4a526eedd51aca33bf2a5cf7fb85462d23ad6d4de29c8b91abc41b` is a signature of the payload mentioned above.
-#### Modifying event verification
-When the `s` tag is provided, events **must** be signed and verified by the respective private key of the `signerkey`. Clients/relays **should** confirm that no revocation have been created with a greater `created_at` value. 
-Clients **must** verify the token is valid. The token **may** include the `expires_at` field if it wishes the delegated signing to be temporary (ie. sign events for 2 hours, 7 days, etc). 
-> TODO: How to revoke. This could be a future NIP.
 #### Example
 Below is an example of an event published by `62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49`, on behalf of `86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e`.
 ```json
 {
-   "id":"23bf557814cd294d77a52e43d16903862c231857319f950ba40474fde1b9c393",
+  "id": "a080fd288b60ac2225ff2e2d815291bd730911e583e177302cc949a15dc2b2dc",
-   "pubkey":"86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e",
+  "pubkey": "62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49",
-   "created_at":1652969505,
+  "created_at": 1660896109,
-   "kind":1,
+  "kind": 1,
-   "tags":[
+  "tags": [
-      [
+    [
-         "s",
+      "delegation",
-         "eyJzaWduZXJrZXkiOiI2MjkwM2IxZmY0MTU1OWRhZjllZTk4ZWYxYWU2N2NjNTJmMzAxYmI1Y2UyNmQxNGJhYmEzMDUyZjY0OWMzZjQ5IiwiY3JlYXRlZF9hdCI6MTY1OTQ0NjMxNX0=",
+      "86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e",
-         "2ed3e4b8470ce37b7e1946441a323d1d71c8a846fe49787ec406e14a44632cc96e48cabccc4a526eedd51aca33bf2a5cf7fb85462d23ad6d4de29c8b91abc41b"
+      "kind=1&created_at>1640995200",
-      ]
+      "c33c88ba78ec3c760e49db591ac5f7b129e3887c8af7729795e85a0588007e5ac89b46549232d8f918eefd73e726cb450135314bfda419c030d0b6affe401ec1"
-   ],
+    ]
-   "content":"Hello Nostr. This is Minds calling.",
+  ],
-   "sig":"30f0ebb907bd23416dd32a14b905abeb1db3fde97c74a151c51e5503e91ed25d58fbdcd95910ea4c11dc49d3fca8c616c0e7489e0f8da37b0938a7ce393285e7"
+  "content": "Hello world",
+  "sig": "cd4a3cd20dc61dcbc98324de561a07fd23b3d9702115920c0814b5fb822cc5b7c5bcdaf3fa326d24ed50c5b9c8214d66c75bae34e3a84c25e4d122afccb66eb6"
 }
 ```
+#### Relay & Client Querying Support
+Relays should answer requests such as `["REQ", "", {"authors": ["A"]}]` by querying both the `pubkey` and delegation tags `[1]` value.
author	Mark Harding <mark@minds.com>	2022-08-24 13:24:50 +0100
committer	Mark Harding <mark@minds.com>	2022-08-24 13:24:50 +0100
commit	78522b50a11ceca943a028fb4be2d10658d563a5 (patch)
tree	1ef4c67de9781655b88729c15fdb97bc2de6dcf0 /26.md
parent	e13f6d39b954764ae4d8a4478f3e9b62fe74e5ab (diff)

diff --git a/26.md b/26.md index 17255e2..4557875 100644 --- a/26.md +++ b/26.md
@@ -4,77 +4,63 @@ NIP: 26
4	Delegated Event Signing	4	Delegated Event Signing
5	-----	5	-----
6		6
7	`draft` `mandatory` `author:markharding` `author:minds`	7	`draft` `optional` `author:markharding` `author:minds`
8		8
9	This NIP defines how events should be verified and signed to support generating events on behalf of someone else. It should be possible to sign Nostr events from other keypairs.	9	This NIP defines how events can be delegated so that they can be signed by other keypairs.
10		10
11	Another application of this proposal is to abstract away the use of the 'root' keypairs when interacting with clients. For example, a user could generate new keypairs for each client they wish to use and authorize those keypairs to generate events on behalf of their root pubkey, where the root keypair is stored in cold storage.	11	Another application of this proposal is to abstract away the use of the 'root' keypairs when interacting with clients. For example, a user could generate new keypairs for each client they wish to use and authorize those keypairs to generate events on behalf of their root pubkey, where the root keypair is stored in cold storage.
12		12
13	#### Introducing the 's' tag	13	#### Introducing the 'delegation' tag
14		14
15	This NIP introduces a new tag: `s` which is formatted as follows:	15	This NIP introduces a new tag: `delegation` which is formatted as follows:
16		16
17	```json	17	```json
18	[	18	[
19	"s",	19	"delegation",
20	<signed pairing payload (base64 encoded)>,	20	<pubkey of the delegator>,
21	<signed pairing signature (64-bytes shnnorr signature of the sha256 hash of the signed pairing payload>	21	<conditions query string>,
		22	<64-bytes schnorr signature of the sha256 hash of the delegation token>
22	]	23	]
23	```	24	```
24		25
25	##### Signed Pairing Payload	26	##### Delegation Token
26		27
27	The Signed Pairing Payload should be a `base64` encoded JSON object as follows:	28	The delegation token should be a 64-bytes schnorr signature of the sha256 hash of the following string:
28		29
29	```json	30	```
30	{	31	nostr:delegation:<pubkey of publisher (delegatee)>:<conditions query string>
31	"signerkey": <32-bytes hex-encoded public key of who is authorized to sign>,
32	"created_at": <unix timestamp of issued time>,
33	"expires_at": <optional, if present unix timestamp of invalidation time>
34	}
35	```	32	```
36		33
37	For example, the Signed Pairing Payload `eyJzaWduZXJrZXkiOiI2MjkwM2IxZmY0MTU1OWRhZjllZTk4ZWYxYWU2N2NjNTJmMzAxYmI1Y2UyNmQxNGJhYmEzMDUyZjY0OWMzZjQ5IiwiY3JlYXRlZF9hdCI6MTY1OTQ0NjMxNX0=` consists of the payload:	34	For example, the token `c33c88ba78ec3c760e49db591ac5f7b129e3887c8af7729795e85a0588007e5ac89b46549232d8f918eefd73e726cb450135314bfda419c030d0b6affe401ec1` is signed by `86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e` and consists of:
38		35
39	```json	36	```json
40	{	37	nostr:delegation:62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49:kind=1&created_at>1640995200
41	"signerkey": "62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49",
42	"created_at": 1659446315
43	}
44	```	38	```
45		39
46	##### Signed Pairing Signature
47
48	The Signed Pairing Signature is a schnorr signature of the sha256 hash of the Signed Pairing Payload. For example `2ed3e4b8470ce37b7e1946441a323d1d71c8a846fe49787ec406e14a44632cc96e48cabccc4a526eedd51aca33bf2a5cf7fb85462d23ad6d4de29c8b91abc41b` is a signature of the payload mentioned above.
49
50	#### Modifying event verification
51
52	When the `s` tag is provided, events must be signed and verified by the respective private key of the `signerkey`. Clients/relays should confirm that no revocation have been created with a greater `created_at` value.
53
54	Clients must verify the token is valid. The token may include the `expires_at` field if it wishes the delegated signing to be temporary (ie. sign events for 2 hours, 7 days, etc).
55
56	> TODO: How to revoke. This could be a future NIP.
57
58
59	#### Example	40	#### Example
60		41
61	Below is an example of an event published by `62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49`, on behalf of `86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e`.	42	Below is an example of an event published by `62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49`, on behalf of `86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e`.
62		43
63	```json	44	```json
64	{	45	{
65	"id":"23bf557814cd294d77a52e43d16903862c231857319f950ba40474fde1b9c393",	46	"id": "a080fd288b60ac2225ff2e2d815291bd730911e583e177302cc949a15dc2b2dc",
66	"pubkey":"86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e",	47	"pubkey": "62903b1ff41559daf9ee98ef1ae67cc52f301bb5ce26d14baba3052f649c3f49",
67	"created_at":1652969505,	48	"created_at": 1660896109,
68	"kind":1,	49	"kind": 1,
69	"tags":[	50	"tags": [
70	[	51	[
71	"s",	52	"delegation",
72	"eyJzaWduZXJrZXkiOiI2MjkwM2IxZmY0MTU1OWRhZjllZTk4ZWYxYWU2N2NjNTJmMzAxYmI1Y2UyNmQxNGJhYmEzMDUyZjY0OWMzZjQ5IiwiY3JlYXRlZF9hdCI6MTY1OTQ0NjMxNX0=",	53	"86f0689bd48dcd19c67a19d994f938ee34f251d8c39976290955ff585f2db42e",
73	"2ed3e4b8470ce37b7e1946441a323d1d71c8a846fe49787ec406e14a44632cc96e48cabccc4a526eedd51aca33bf2a5cf7fb85462d23ad6d4de29c8b91abc41b"	54	"kind=1&created_at>1640995200",
74	]	55	"c33c88ba78ec3c760e49db591ac5f7b129e3887c8af7729795e85a0588007e5ac89b46549232d8f918eefd73e726cb450135314bfda419c030d0b6affe401ec1"
75	],	56	]
76	"content":"Hello Nostr. This is Minds calling.",	57	],
77	"sig":"30f0ebb907bd23416dd32a14b905abeb1db3fde97c74a151c51e5503e91ed25d58fbdcd95910ea4c11dc49d3fca8c616c0e7489e0f8da37b0938a7ce393285e7"	58	"content": "Hello world",
		59	"sig": "cd4a3cd20dc61dcbc98324de561a07fd23b3d9702115920c0814b5fb822cc5b7c5bcdaf3fa326d24ed50c5b9c8214d66c75bae34e3a84c25e4d122afccb66eb6"
78	}	60	}
79	```	61	```
80		62
		63
		64	#### Relay & Client Querying Support
		65
		66	Relays should answer requests such as `["REQ", "", {"authors": ["A"]}]` by querying both the `pubkey` and delegation tags `[1]` value.