I'm not opening a google drive document, but based on your TLDR, yes - key management on nostr has yet to be fully solved.

The best solution so far is nsecbunker (keys never leave the enclave).

Can you summarise the solution? Can't read the comments / replies as that requires a twatter account.

It would be nice if nostr could do that like PGP

But PGP failed for over a decade precisely because this created a difficult user experience

And after that it got killed by a massive attack

Nostr at least has a chance of working, because it is simple

"Trust-based social verification, revocation, signalling, and redistribution"

Correct me if I'm wrong but sounds a lot like how things work right now. I mean, for example, someone who nobody had heard of a year ago now 'ranks' highly through number of following accounts.

If that persons keys got comprimised, they'd just use a backup set of keys and announce to inner-circle that they have new keys. Followers unfollow old and follow new.

I guess this is trying to address imposters and spoof accounts? Like someone who has global or significant audience. I feel nostr is not really the place for this. It's not that it couldn't serve that demographic, just that audience need to understand that verification is always something that is an active process.

If audience can not take responsibility for that, they also must realize that when tagging an account of said significant person, the response they get from said account might not be person they assume it is (i.e secretary/ P.R, etc.)

You could be duped into watching a deepfake from a verified account, or a body double in meatspace. Surely this responsibility to verify sources and the system to verify will scale given time?

Skill issue on his side

yet another bad take

I think nips 26 and 46 address this issue, and nsecbunker is an existing solution based on that spec.

This is shortsighted.

We need to build on it how it is first ... because we don't actually know what needs to be built yet ... because this stuff has never worked well before ... because otherwise we'll all be armchair programmers theorizing requirements that don't actually exist and building things that don't actually have demand and don't actually work.

That's sad because Nostr do more than social network. For example, distributed market (service, good, AI).

The great thing is you can cherry pick some features/NIP (or build you own) on Nostr for your app and hopefully you don't need to necessary deal twitter like stuff.

I'm very much still learning Nostr and how it works. My web3 background has been with Hive (the fork from Steemit after Justin Sun tried a takeover). My knowledge there has helped me understand Nostr, but also conflicts with the Nostr way at times.

Differences:

Nostr uses a pub/priv key pair where your public key is effectively your username. The "nym" that shows is nothing but a nametag, the public key is really you...your identifier.

On Hive, you have a human-readable username, mine there is "crrdlx"...that is your account, your identifier. Then, there are actually four private keys used. The reasoning is to ensure there are different levels of security.

"posting" key for posting stuff (like this) "active" key for moving funds "owner" key for managing everything "memo" key for sending encrypted private messages

The logic is that you only use lowest needed key, that way if it ever gets compromised, the hacker can't do the the other things.

Clearly, Nostr doesn't do this type of splitting of keys.

As far as reputation, Hive actually has a "reputation" score that is shown by your username. Your reputation is based on upvotes/downvotes of others (their reputation score influences yours along with their vote). It's not perfect but, it offers a glance-assessment of every user.

As far as a restart to reputation, if my "crrdlx" account was hacked and taken over by someone, I could simply start another account, call it "real-crrdlx". Then, I would need to announce what happened and I'm starting over with a new username. Of course, I'd have to somehow prove I am actually "real-crrdlx." My followers would not automatically be moved over and I'd have to regrow reputation.

As I understand, this is effectively the same that would be needed on Nostr.

I really don't know a solution, this may be a web3 snafu that we must currently live with. Maybe something will be figured out in the future. The bottom line...

...protect your private keys and you'll be fine.