• SEC-06: Identity & Signers Report
  • Introduction
  • Themes & Projects
    • Identity & Key Management
    • Signers & Bunkers
    • Payments & Wallets
    • AI Agents & Memory
    • Web of Trust
    • Storage & Streaming
    • Network & Discovery
    • Privacy, Tools & Learning
  • Talks & Workshops
  • Experiments in SEC-06
  • Paths Forward
  • Closing Notes
  • Upcoming Cohort

§SEC-06: Identity & Signers Report

§Introduction

It’s been a couple of months since SEC-06 wrapped on March 20th. And as its said, better late than never. This was our first three-week focused sprint on the hard questions of everything identity & signers. About 21 people - roughly half alumni and half new faces - showed up in Madeira to tackle one sharp problem: keys are great, but key management is a disaster.

After SEC-05, it was clear that identity in the world of AI would matter a lot. We wanted to talk to our LLMs and have them make payments. Just before the cohort, Openclaw blew up, and the Clankers needed to talk to humans and to each other. The legacy stack does this with phone numbers, OAuth, API keys, payment processors, and a million KYC hoops. With a Nostr plugin, a clanker generates its nsec, sets up its wallet, and starts DMing and zapping in one prompt, in minutes, by itself.

Humans need better key management. For machines, keys are the only path to autonomy.

On the last day of the cohort, Pip the WoT guy published an analysis of about 16,000 leaked nsecs. No NIP-41 in the wild, no rotation, no way to tell the network “this isn’t me anymore”. Today, any key compromise is fatal.

§Themes & Projects

§Identity & Key Management

Identity continuity was the hot topic and was attacked from multiple angles: cryptographic rotation, social recovery, and checkpoint events, building legitimacy over time. Gzuuus’ OpenContinuity (NIP #2278) is already moving through review - identity continuity on Nostr is observer-dependent, so the draft standardizes claims and evidence, not truth. The PR thread is worth reading.

• Friendpub ( @2f575...4f3c9 ) - 2-of-3 guardian threshold rotation over NIP-17

• One Npub / Froster ( @f53b9...80983 ) - Single npub backed by FROST

• OpenContinuity ( @40b9c...1b451 ) - Checkpoint events; NIP draft

• pubSwitch ( @d60bd...fc8d7 ) - Prepared key migration with social signalling

§Signers & Bunkers

hzrd’s article on signer UX sucks struck a cord and we highly recommend it. Florian’s testbed picks the middle between approving everything (fatigue) and nothing (security facade): per-event-kind flows with risk-tuned warnings.

• Fleetgner (Gzuuus) - Remote signer with per-key per-user policies; NIP-46 + CVM/MCP

• OAuth Bunker ( @b7c6f...07e81 ) - OAuth → NIP-46; split web/LAN architecture

• Signer UX testbed (Florian) - Per-event-kind approval flow reference

§Payments & Wallets

One of the most fruitful demos was on Silent Payments, and it came from a non-dev.

• Silent Payments over Nostr ( @9c5d5...67636 ) - Sparrow fork; NIP-05 → silent payment address via Nostr DM, skipping the chain scan. Gist

• FrostyCashuWallet ( @12ee0...880e6 ) - Cashu tokens locked to FROST pubkey; audience collaboratively unlocks

• Cashutube (Sats And Sports) - Pay-per-view video; Cashu + Spilman channels

§AI Agents & Memory

Kosh’s Nomen gives agents searchable memory on Nostr - sleep-style consolidation, turning raw chats into named memories that travel with the npub.

• Nomen ( @1634b...5bfed ) - Agent memory on Nostr; HNSW + BM25 + graph; MCP / CVM / embedded Rust

• Rust ContextVM SDK (Kosh) - Native Rust ContextVM

• Relatr ELO plugins (Gzuuus) - Scriptable WoT trust-score plugins as Nostr events

§Web of Trust

Gzuuus extended Relatr with an ELO scripting language, so trust scores become user-defined plugins: write the rule, post it as a Nostr event, and anyone can run it.

• Mesh of Trust (Thomas) - Friends-of-friends follow-graph trust analysis

• Nostube WoT (Florian) - Nostube WoT via Relatr plugins

• Nostr Signal ( @056f3...200d2 ) - Local-business reputation from Nostr activity, reactions, zaps

§Storage & Streaming

Blossom kept settling in as the default object store with Nostr as the coordination layer.

• Flower market (Tom) - Blossom server discovery with challenge-response retention proofs

• Blossom Fire (Tom) - Phone-to-web live streaming via Blossom + Nostr

• Nostube (Florian) - Video client on Nostr + Blossom

§Network & Discovery

FIPS and ContextVM continued to mature as Nostr-native transports underneath the app layer.

• FIPS ( @bbb5d...e2747 ) - Two-Tollgate demo; Wi-Fi/Ethernet failover; Nostr relay as first FIPS-native app

• FIPS over Nostr (Sats And Sports) - FIPS nodes self-announcing topology over Nostr

• CSH (Yo) - SSH over ContextVM; web terminal tunneled through Nostr

• Antenna Tracker ( @c3e23...7caa9 ) - ESP32 antenna tracker; MCP-over-Nostr control

§Privacy, Tools & Learning

Nostr identities for things adjacent to social: voting, duress signals, trust-bound releases.

• Auditable Voting (Alex / c0brador) - Cashu-mint coordinator voting with multi-coordinator cross-checks

• Silent Alarm ( @404d9...42fe7 ) - BIP-85 duress PIN sends SOS via NIP-17 with GPS

• Software signing (Arjen) - Nostr-signed reproducible releases from GitHub Actions across untrusted workers

§Talks & Workshops

• Identity is Prismatic ( @6e468...eee93 ) - Riffing on Chris Poole’s “high-order bit” talk: “posting as” vs “posting to”. Build things on Nostr that map our many selves rather than collapse them into one.

• Engineering with Nostr is Better (Tom) - E-bike-company case studies; Nostr identities simplifying production engineering.

• Openclaw + NIP-17 in a Prompt (Gigi) - Workshop: agent spins up its own Nostr identity and DMs humans in one prompt.

• Tuesday talks - “Bitcoin doesn’t care what any of us want” (Karliatto), WoT + social recovery + SSS (Tom/Yo/Gzuuus), Governance in Nostr (Gzuuus).

§Experiments in SEC-06

• Three-week format: A bit short - the cohort really starts grooving by Week 3 after 2 weeks of warmup. Still useful since not everyone can do a full cohort.

• Outdoor BBQs: BBQs after hikes worked well. Tricky to find hike + BBQ spots in rainy spring weather, but we did.

§Paths Forward

Identity continuity isn’t optional. Thousands of keys have been exposed, and serious adoption hasn’t even started. SEC-06’s complementary paths - cryptographic, social, hardware-rooted - are still experiments and need serious effort. Until Nostr has continuity baked in, it can’t be a serious social layer where normal people invest their time and energy. This is a big reason contributing to the difficulty of using Nostr for them. Derek has a point, even though we don’t fully agree. The thing is, people don’t like responsibility, and Nostr isn’t for everybody. But let that not be an excuse for bad UX.

Trust should be configurable - Relatr’s ELO-plugin model is a step in the right direction.

Nostr is perfect for agents: identity, money, network, communications. The clankers are here and we’d like to see more of Nostr for the agentic world.

§Closing Notes

SEC-06 wouldn’t have happened without our participants at full tilt for three weeks, the captains (Yo, Florian, Gzuuus), @cdebf...4236c for the BBQs and Ponchas, the ladies at the Cowork, @5b705...1efe5 for the space, and @6e468...eee93 for the heart he keeps putting into this.

We owe SEC-06 alumni an Arrr. We also owe everyone the SEC-07 report, coming next.

§Upcoming Cohort

Applications are open for SEC-08: YOLO++ running from 20 July - 28 August in Madeira. Apply here.

Yer keys be yer flag, laddies. Lose ‘em an’ ye’re a ghost on the high seas. Rotate ’em proper, or get plundered.**

More: sovereignengineering.io | No Solutions