So, now I have an application that can interact with nostr, but what if I want to integrate it with other applications such as a messenger? What if I want to have a Bot in Zulip which allows you to create a Mostr Task and list existing ones? The latter one is more tricky since it requires authentication on a production relay. A nostr identity is an asymmetric cryptographic keypair, so there is no straightforward way to do such.
A signer browser extension is not of help, because the bot runs external to the user. Asking for and storing the user's key is out of question in this context, because that would expose it in both the message history and the zulip database. Any encryption password would need to be provided via message to the bot too, making the encryption moot as well.
Thus the avenues I see for the bot acting authenticated on behalf of a user is either to communicate with another intermediary securely (in essence a remote signer) or for the user to run a bot themselves that has the necessary identification details. The problem with the former stil is that any means of authenticating the bot to the intermediary would be available to the zulip server admin as they need to be stored somehow.
Own Bot Identity
This leaves us with the bot having an own keypair and thus an own identity as the only feasible solution for now.
Maybe there is a cryptographic way for the user to derive a key thus that it can be traced back to their original key as authority - but then a mechanism to revoke that derived key is needed. A mechanism like this could indicate that the bot acts on behalf of the user if we are unablt to have it act as the user.
The last and most practical solution for now is to have the bot act as an independent entity with own identity, available for use by any user. For that, the bot either needs to know the public key of the user to be able to assign created tasks
This makes the bot unable to do actions that need to be done by the user themselves, such as timetracking and potentially even task modifications in the future. But it can authenticate properly with an own keypair, to read and list tasks as well as create tasks assigned to a user.
Next to the user manually supplying a pubkey for assignment, it could try to match the username to a username on mostr and suggest a match. Either way the pubkey can be saved without issues.
Amendment: Nostr NIP-26
Shortly after writing this, I found https://nostr-nips.com/nip-26 with the exact purpose of enabling such applications - thus the user could authorise the bot to act on their behalf, however that again implies trust of the server since mostr intentionally allows backdating of events for quite some time.
Furthermore, this needs own support in mostr since right now the event pubkey is assumed to be the creator.