Proposing a couple of changes to the NIP-05 protocol to reduce the chance of fraudulent use of "verified" public keys. At present, I could create an account on a well-known verifying server under a random name, and then send DMs pretending to be someone else, and there's no easy way for users to tell who the verifying account actually belongs to.
As well as displaying the name of the account on the verifying server, this PR suggests an enhancement to the JSON data being returned so that clients can redirect the user to the user's profile page on the server. This will make it much easier for users to check that someone who claims to have verified their Nostr account is who they claim to be.
JS Nostr apps such as Branle may not be able to load `nostr.json` files due to CORS policies. Update NIP05 to warn about this and provide hints for troubleshooting and fixing the issue.
vivganes
Matthew Lorentz
fiatjaf
Erik Westra
Jeff Jing
Luke Childs
Lyle Pratt
majestrate
sgmoore
David A. Harding
fiatjaf