Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIP-37 - Transport method announcement #1585

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

Origami74
Copy link
Contributor

Motivation

Nostr decouples applications completely from the transportation layer, meaning services no longer have to be designed around a single transportation method, but can be accessible through a plethora of ways. This NIP is meant to act as a lookup system that tells a client which transportation methods can be used to access its services.

Rationale

Similar proposals

There have been NIP proposals that touch the connection between pubkeys and addresses, examples of this are:

NIP-97

I believe NIP-97 is very close to solving the issue of this mapping. However, it attempts to also include human-readable naming into the solution. I believe that human-readable naming of pubkeys/services is inherently different from mapping a pubkey to an address where a user can access that pubkey's services, which may or may not map to a legacy domain name.

I argue that Nostr introduces a new paradigm of addressing services, and that that creates an opportunity to make services accessible through different networks and protocols simultaneously.

Human-readable names are and will always be ambiguous and opinionated. Addressing is not nearly as ambiguous. A location is either controlled by a pubkey, or it is not. A pubkey can quite easily prove that it controls an address.
Therefore connecting a name to pubkey to a pubkey should be solved in a separate NIP.

NIP-66

NIP-66 covers discoverability from the client side and can be a very important tool to discern which services are worth connecting to. I think it can act as the feedback mechanism to the proposed event of this NIP. It can be used to build metrics for the various networks a pubkey announces it to be accessible. Things like rtt (round trip time) can also be different for each network and should be measured seperately.

37.md Outdated

`draft` `optional`

This NIP describes how digital services can announce how clients can reach them, it describes which network is used and depending on the network what other data is needed to reach it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by "digital service"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any service/server really. Some examples would be Cashu Mints, Relays, Epoxy Proxies, IOT devices...

@mikedilger
Copy link
Contributor

Based on the title I thought this was going to decouple nostr from websockets and propose nostr-over-X. But rather it looks like a method to advertise services, although such services don't seem to be "nostr" so I'm not sure why it is here unless it is just leveraging nostr identities.

@vitorpamplona
Copy link
Collaborator

I like this.

It is similar (simpler) to the proposed NIP-97. Instead of making references by event address, we make them by pub keys. Here each key can only have one redirection event (kind 11111) and thus we can reference the key directly, instead of each individual "subdomain" of a key on kind 30053 of NIP-97.

@vitorpamplona
Copy link
Collaborator

This would help normalize relay URLs while offering multiple IPs/domains for the same relay.

Many relays offer ipv4, ipv6, and onion addresses. If NIP-65 becomes a list of pubkeys instead of the wss:// addresses directly, each client can choose if they want to connect via ipv4, v6, i2p or onion. The receiver, and not the author, decides how to connect.

Granted, it creates another round of requests before using the relay or server.

@Origami74
Copy link
Contributor Author

Origami74 commented Nov 18, 2024

Based on the title I thought this was going to decouple nostr from websockets and propose nostr-over-X. But rather it looks like a method to advertise services, although such services don't seem to be "nostr" so I'm not sure why it is here unless it is just leveraging nostr identities.

It's about decoupling services from a single network and protocol. A relay could use this to decouple from websockets as well. So nostr-over-X could be served by this. If i would have a relay that's accessible exclusively over Lo-Ra it could look like this:

{
  "kind": 11111,
  "tags": [
    ["lo-ra", "914.3Mhz", "<whatever-protocol-lora-people-use>"]
  ]
}

It is really specifically NOT about advertising the service itself which this pubkey is offering, it's only about addressing. There is too much variety in the types of services that can be offered, which can never be satisfied by having one single 'service announcement' kind. I believe every type of service should have it's own service announcement kind. Ex: One for cashu mints, one for relays, one for proxies, etc...

Here each key can only have one redirection event (kind 11111) and thus we can reference the key directly

Spot on!

Granted, it creates another round of requests before using the relay or server.

That is true, although the owner of the pubkey can include some addresses hints in other announcement events that are specific to the service they offer. "Address-hints", if you will.

One example here: https://github.com/ArjenStens/nostr-epoxy-reverse-proxy/blob/main/NIP-XX.md#example

@fiatjaf
Copy link
Member

fiatjaf commented Nov 18, 2024

Just to clarify, is the intent that is used, for example, for a personal website? Like replacing DNS and making my website's IPv4 and IPv6 available? And then also offering the website over Tor?

I am having trouble seeing an actual use case here. I can see the relay use case and I won't comment about it, but, aside from that, what else?

If I am using some service's API, for example, I will already be hardcoding their endpoint and transport in my consumer code.

@Origami74
Copy link
Contributor Author

Origami74 commented Nov 19, 2024

Let me first clarify a bit by making a comparison to DNS:

Legacy DNS (in the way it's used in practice) solved multiple problems: 1) Naming, 2) Identity, 3) Addressing. However, it requires centralized coordination, which is why we don't want to rely on it anymore. Nostr allows us to split these functions of legacy DNS into three parts we can define and solve separately.

1) Naming: Attaching human-readable names to an identity is a consensus/social problem, and should be solved separately from the addressing issue. If people want to have legacy domain names on Nostr it should map the human readable name to a pubkey.
2) Identity is already solved by Nostr out of the box with a pubkey being the identity.
3) Addressing Is the part that this NIP tries to solve. Once trust in an identity (pubkey) is established, you can do a lookup to this event to see where the it should be interacted with, and with which protocol. It can support multiple networks at once, and the addresses can change all the time (for example when dealing with takedowns).

Just to clarify, is the intent that is used, for example, for a personal website? Like replacing DNS and making my website's IPv4 and IPv6 available? And then also offering the website over Tor?

I am having trouble seeing an actual use case here. I can see the relay use case and I won't comment about it, but, aside from that, what else?

The goal is for services to easily define (multiple addresses) and swap out addresses and for clients to still be able to reach them using one simple lookup.
So yes, you could make a website available on just an IP address, or 4 different ones, spread over several networks (clearnet/tor/i2p/hyper). Personally I don't think it's main use case will be websites (nsite already helps solve that). It's more useful for services like mints, blossom, relays and whatever else we can come up with.

As an aside: If you'd combine this with encrypting traffic to the pubkey, you could completely subvert the use of centralized domain names AND SSL/TLS with it's single point of failure: the 'Trusted' root certificate authorities.

If I am using some service's API, for example, I will already be hardcoding their endpoint and transport in my consumer code.

I see that that works for a lot of services, but not all. I can see a big need for this by services that might have to move around to avoid takedowns. I think cashu mints might be prone to takedowns and since money is involved, that's a big deal. Currently it's very hard to know which new domain/ip actually belongs to the identity that you trusted and connected to earlier.


What led me to this proposal is the Epoxy project which can proxy to any websocket by just providing it with pubkey. It should be able to see the pubkey's available endpoints on any of the networks it supports (clearnet/i2p/tor/hyper) and connect on whichever one it can reach.

To get there the proxy has to do a lookup, but it doesn't care -and shouldn't have to care- what type of service it's connecting to, it could be another proxy, a relay, or a mint. If there's no single way to do this kind of lookup it would add so much complexity. In this case it might have to check all those service's respective announcement events with their endpoints.

Okay, end of essay 😛

@rabble
Copy link
Collaborator

rabble commented Nov 20, 2024

I like this because it would make running Nostr over Tor or other alternative networks easier because you could know there are multiple paths to the same relay and means relays aren't so tied to domain names which might go away.

@mikedilger
Copy link
Contributor

This can't be used for relays because relays aren't known by their pubkey but by their URL. That was sorta defined into nostr from the start.

I think it would be very useful to define both the specific protocols (e.g. tor) that can be used in the tags, but also add another tag that explains what the service is and have a defined list of those values as well. Otherwise it's just a free-for-all and doesn't define anything that anybody can use.

@vitorpamplona
Copy link
Collaborator

This can't be used for relays because relays aren't known by their pubkey but by their URL.

The goal is to change that. Don't declare your relays with a wss:// address. That doesn't make any sense. Declare the relay pubkeys and find the current address as needed.

@mikedilger
Copy link
Contributor

That is a great idea @vitorpamplona and I have it listed for nostr-next. But when I look through my codebases, changing the way relays are referred to is far too big of a breaking change.

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Nov 20, 2024

far too big of a breaking change.

Nah... it's just a additional ["server-key", <pubkey>] tag on the usual NIP-65. Clients supporting pubkey-based relays can figure itself out. Migration can happen without other clients even knowing.

@dskvr
Copy link
Contributor

dskvr commented Nov 30, 2024

🚀 :

  • Relay Pubkeys solve normalization.
  • Efficient multi-network routing.

Concerns:

  • relay pubkeys add complexity to relay development and security by requiring either relays to have an internal hot signer and key management to sign these events, or for relay operators to manually publish these events on behalf of their relay.
  • In the hot-signer case, what happens to dependent clients when a popular relay software with hot signer (a likely outcome) has a zero day and a large percentage of relays' NIP-37 events are rewritten in a matter of minutes?

Notes

  • In a few years there could be (tens|hundreds of) thousands of these events, where a tiny percentage of them will be still be in service. This is the case that NIP-66 addresses.
  • Why not instead of server-key just list p tags (that can used to find NIP-37) or a tags that reference a relay's NIP-37 events. Makes NIP-65 both discoverable via relay pubkey and increases compatibility.

You missed some points on NIP-66

  • Signal to noise; most strings that purport to be "relays" in hints and lists are offline, this will also be the case for pubkeys.
  • Discoverability: Finding via pubkey is one path, and it also requires that you first know the pubkey, NIP-66 discoverability is significantly more diverse. For instance: Find nip-50 search relays that are on tor and require auth but no payment or find relays within my country or related to a specific topic.

Doesn't matter:

  • There's a tiny amount of redundancy with NIP-66 but it doesn't matter, this is a routing case. NIP-66 wasn't designed for nor intended to be used for routing.

@Origami74
Copy link
Contributor Author

  • relay pubkeys add complexity to relay development and security by requiring either relays to have an internal hot signer and key management to sign these events, or for relay operators to manually publish these events on behalf of their relay.

Yes, although I believe this new responsibility to be inevitable if we want to reduce reliance on DNS. In the legacy DNS/SSL system we offload identity and security to third parties (ICANN, Let's encrypt, etc...). Changing this to services managing their own identity might leave an individual service more vulnerable, but the system as a whole will get more resilient by removing these single points of failure.

(I view this NIP as a crucial step in the direction to encrypt traffic using nostr pubkeys instead of SSL, allowing us to have one encryption method independent of the transport method used)

  • In the hot-signer case, what happens to dependent clients when a popular relay software with hot signer (a likely outcome) has a zero day and a large percentage of relays' NIP-37 events are rewritten in a matter of minutes?

If the relay's key is compromised there's nothing we can do about that. The relay would only have one NIP-37 event by the way that it can update over time. This is public so it could be watched by others.

  • In a few years there could be (tens|hundreds of) thousands of these events, where a tiny percentage of them will be still be in service. This is the case that NIP-66 addresses.

I think any service should regularly re-publish this event, acting as a heartbeat. If it goes down for a long time it can be ignored.

  • Discoverability: Finding via pubkey is one path, and it also requires that you first know the pubkey

This NIP indeed assumes the discovery problem to be solved elsewhere. NIP-66 can be a great tool for that, I have no strong opinions on how the discovery should look exactly.

37.md Outdated
Comment on lines 28 to 32
["clearnet", "some.domain.com", "wss"],
["tor", "somehash.onion", "ws"],
["i2p", "somehash.b32.i2p/", "ws"],
["ipv4", "157.240.212.35", "http"],
["ipv6", "2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", "http"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clearnet = ipv4 = ipv6

it should be easy for clients to determine what is DNS and what is IPv4/6

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! I Updated the example.

- change 'ipv4'/'ipv6' to 'clearnet'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants