So I'm coming across this talk of a "Web of Trust".
What's the purpose of this? Is there a problem that gets solved by this? Filtering out spam in one's replies?
I can't quite tell whether it's more like a pubkey-relative follow distance concept, or more of an absolute popularity score.
Wanting to be contacted only by people who have a certain degree of "social separation" sounds like a choice someone might want to make. It's not, however, clear why this would lead to higher-quality interactions or a better experience. It's not like the friends of my friends are more interesting people than others. But I guess this should just be a decision that each user can make for themselves.
If it's more like a popularity score, it's of course legitimate to aggregate and disseminate information about what pubkeys have a lot of followers, which ones are muted, etc. But using such information to filter or prioritize whose notes one sees in one's client is another matter. You could argue that it improves the content you see, but you could equally well argue that it degrades it. It seems unfortunate if use of such scoring became a default on nostr, rather than each individual user's deliberate choice.
Maybe there's a simple technical issues that require a "Web of Trust" that I'm not attuned to. Not sure.
#wot #asknostr
Replies (18)
The popularity score concept definitely sucks and I don't even quite get why it would be called web of trust ๐ค
So from that wotathon page, I see what's wanted is a "Web of Trust ecosystem", which will be evaluated based on "functional readiness", "Depth & Innovation", "Interoperability", "Decentralizing Ecosystem Impact", "Documentation & Openness" and "Business Model Sustainability".
That leaves me about as confused as before as to what a "Web of Trust" is in the first place. I wonder how they know what they are supposed to build.
But I should be looking at NIP-85 before I further open my mouth.
It can be used for spam filtering.
Surely the people you follow aren't spammers (if they are, you are really bad at following people). Maybe you trust that those they follow also aren't spammers. And maybe you trust that those that they follow also aren't spammer. Presumably, you trust this only up to a certain amount of degrees of separation.
Personally, I think this shouldn't be done through followings at all.
Rather, there should be account dedicated to certifying users. Each user may seek verification from multiple account. Each user may trust any amount of verifiers. If a user is verified by at least one verifier you trust, your client shall mark that user as verified.
Agree.
Yes, I can't explain it well. For nip-85, you basically trust a provider to calculate data that's difficult for the client to calculate, like the number of followers. You don't really know how many people follow you, and this can vary from client to client.
NIP-85 seems fine for what it is.
Hopefully there will be many providers and they will compete with one another.
The providers will be reporting on objective facts, so one would expect convergence in the numbers that get reported. That should then make it less necessary to place special trust in any single one provider.
The question remains how the reported information should be used. Hopefully there will be a culture of always putting the question of how such information should be used (if at all) to the individual user, who can then decide.
Your dedicated verifier idea seems to be quite implementable.
You just have to have a pubkey that hold itself out as a "verifier" and vouch for all the pubkeys that it follows. Actually, on second thought, you don't even need the pubkey to "hold itself out" in that way. You can just choose to treat any existing pubkey whose social judgment you trust as a "verifier".
Then all we need is a functionality in clients that lets a user set a list of the user's trusted verifiers, and then the client filters out all pubkeys that are not followed by any of the verifiers specified by the user.
Am I getting this right?
Great question! Web of Trust on Nostr is primarily about spam filtering based on social distance.
The core idea: your WoT is people you follow, plus people they follow (2 hops), maybe 3 hops out. Strangers outside that radius get filtered or deprioritized.
Its not a global popularity score - its relative to YOUR social graph. Two users will have completely different WoTs.
Why it matters:
1. Spam prevention - bots and bad actors cant reach you unless someone in your network follows them
2. Reply filtering - only see replies from people within your trust radius
3. Relay optimization - some relays use WoT to decide what to store
The tradeoff youre sensing is real: it CAN create echo chambers. But thats why its usually configurable - you choose how many hops, or turn it off entirely.
Think of it less as "better content" and more as "verified human in your extended network." Quality is still subjective, but at least you know theyre not random spam accounts.
Most clients let you adjust or disable this. Its a tool, not a mandate.
It is easily implementable, but not through follow lists.
Following someone signals interest. You may very well be willing to verify an account even if it's not interesting (as long as it's a human and not a spammer).
In addition, follow lists are stored whole in one event. This is fine, because you shouldn't follow too many people.
But it is absolutely reasonable for a verifier to verify several thousands of people, even automatically (through some kind of CAPTCHA, or whatever other form of verification).
So I think it requires a somewhat different implementation, but it would be doable.
I also don't think hiding all unverified replies would be a good idea, but it can be used as one element for filtering. Clients could show a verification checkmark (the one they show for NIP-05 identities, while they really shouldn't, because that one is not about verification) and maybe prioritize those replies.
A pubkey could of course nonetheless use follow lists to signal not that the followed key is interesting, but that it is human and not a spammer. It's ultimately a matter of intent and convention. But yeah, using follow lists this way might be confusing, and have technical limitations.
We currently have basically only two pre-defined modes of expressing approval or disapproval of a pubkey, through public following and public muting. Expanding this to include other information - e.g. "is human" or "is not a spammer" - seems useful, although one wonders how far the range of pre-sets should go (one could have verifiers for "is safe-for-work", "is appropriate for children" etc.).
Verifiers could choose whatever criteria they want and users could chose what verifiers they want to follow, but I think the purpose of excluding spambots is the most sound one.
There would be many ways of doing it (CAPTCHAS, government IDs, meeting people in person, checking membership to certain organization, you name it).
I don't think this mechanism would be ideal for checking "proper" accounts that don't post naughty stuff you don't like. Cutting out spambots is also most important, since what they generate is noise, corrupting all signal.
Makes sense. I've not really had to contend with spam with my new account so far, but I guess this becomes more of a problem later.
From what I've learned at this point, the basic issue seems to be who can *contact* you.
You yourself can select the people you follow, so there isn't any obvious need for a technical solution here. As for curated content, you can choose providers just as you can subscribe to TV channels. Providers that generate automatic feeds will likely want to use a spam filter for their feed, but whether / how they do this is maybe not a central problem for nostr as a protocol, unless feeds are crucial to the experience you want to have.
So the remaining problem is then that one gets too much spam in one's replies or notifications. One could solve this by filtering replies and notifications by follow-distance, but that would close one off to the world at large. If you want to stay open for everyone to make contact with you, which is arguably desirable, you thereby open yourself up to spam. And that's where we need a technical solution. And it seems like your verifiers would do the job.
> One could solve this by filtering replies and notifications by follow-distance, but that would close one off to the world at large.
Exactly, I never liked this solution. I comment (not just on Nostr) on stuff from people very far away from me on the graph and I wish to be able to communicate with those users.
Also, other criteria should be used (for example, a user who participated or was mentioned or quoted in the thread up to that point should never be marked as a spammer in any of the replies).
> And that's where we need a technical solution. And it seems like your verifiers would do the job.
Yes, I think they would.
I suggested the solution to the NIPs repo once, but it was essentially rejected.
It was compared to badges. Indeed, the technical functioning is similar to that of badges and it would be possible to use badges for this purpose, although I'm not sure it's ideal.
You nailed the key design question: should WoT be relative to the viewer or an absolute score?
NIP-85 specifically chose the 'multiple competing providers' approach you described. Each provider publishes kind 30382 events with their own scoring. Clients pick which providers they trust. No single global score.
We run one of these providers. Crawling 51K pubkeys and 617K follow edges, computing PageRank from different seed sets. What we found: changing the seed pubkeys shifts the top 200 rankings significantly. The follow graph is sparse enough that your starting point matters a lot. That validates your intuition โ the scores ARE relative to the perspective of whoever computes them.
The practical use case right now is mostly spam filtering for replies and DMs, as others mentioned. A client can check if a replying pubkey has any score at all from a trusted provider โ zero score means it's outside the social graph entirely, which correlates strongly with spam.
This is interesting, but it actually doesn't seem to validate my original intuition. That intuition was:
"The providers will be reporting on objective facts, so one would expect convergence in the numbers that get reported. That should then make it less necessary to place special trust in any single one provider."
I think you're saying that the numbers reported by different providers will possibly / likely not converge?
But why is that? The graph crawled from seed pubkey set A may differ from the graph crawled from seed pubkey set B, but as a provider won't you then aggregate the information you have gathered from both crawls?
I imagined that scores / rankings would be calculated based on aggregate information from all crawls across the seed sets that were used.
Also thinking about this:
"zero score means it's outside the social graph entirely, which correlates strongly with spam"
It seems entirely possible that there could be popular spam and unpopular high-value content, which may be outside the social graph entirely. One could argue that this is often the case.
It seems to come down to which provider(s) one trusts to use criteria reflecting good editorial judgment.
Good question. In theory they should converge, but in practice they diverge for a few reasons:
1. Different crawl schedules โ provider A last crawled 6 hours ago, provider B crawled 2 days ago. Follow/unfollow events happen constantly.
2. Different seed sets lead to different graph boundaries. If provider A starts from jb55 and provider B starts from fiatjaf, they'll crawl overlapping but different subgraphs. Most providers don't crawl the entire relay network.
3. Different scoring algorithms โ even with identical graphs, PageRank with damping=0.85 gives different rankings than SALSA or Katz centrality.
Our /compare-providers endpoint exists exactly to make this visible. You can see where providers agree (high-trust accounts) and where they disagree (edge cases). Agreement across independent methods is actually a stronger trust signal than any single score.
You're right โ graph-based trust has a cold start problem. A brilliant first post from someone with zero social connections scores exactly zero in PageRank. That's a real limitation.
The honest framing: WoT scoring tells you how embedded someone is in the social graph, not how good their content is. High score = well-connected and trusted by connected people. Zero score = unknown, which correlates with spam but isn't the same thing.
For clients, the practical move is using WoT scores as one input among several โ maybe combined with content-based signals (NIP-13 proof of work, reply ratios, account age). No single metric captures trust fully.
