I am thinking about creating the concept of a “cpub” or child public key of a root npub. The idea is that the cpub can be provably traced back to a npub. I can have as many cpubs as I want, that map back to the same ‘identity’. If a cpub keypair gets compromised, I can publish an event that invalidates that cpub.
As for clients, when they see what is a cpub, they can resolve back to the root npub and present that identity instead.
The driving requirement is to have a protected root npub that corresponds to my identity; it is high-value so I only want to sign with it when absolutely necessary - keeping it on a hardware signer device.
Any comments on this approach?
Tim Bouma
npub1q6…nx7d5
2025-10-23 11:58:19 UTC
Author Public Key
npub1q6mcr8tlr3l4gus3sfnw6772s7zae6hqncmw5wj27ejud5wcxf7q0nx7d5Seen on
wss://offchain.pubPublished at
2025-10-23 11:58:19 UTCEvent JSON
{
"id": "f322cf8ee97df5175fd272c6e1d670e454787113245e49c9fc8019b66d7c0906",
"pubkey": "06b7819d7f1c7f5472118266ed7bca8785dceae09e36ea3a4af665c6d1d8327c",
"created_at": 1761220699,
"kind": 1,
"tags": [],
"content": "I am thinking about creating the concept of a “cpub” or child public key of a root npub. The idea is that the cpub can be provably traced back to a npub. I can have as many cpubs as I want, that map back to the same ‘identity’. If a cpub keypair gets compromised, I can publish an event that invalidates that cpub. \n\nAs for clients, when they see what is a cpub, they can resolve back to the root npub and present that identity instead.\n\nThe driving requirement is to have a protected root npub that corresponds to my identity; it is high-value so I only want to sign with it when absolutely necessary - keeping it on a hardware signer device.\n\nAny comments on this approach?",
"sig": "8d9bb0045592891da133643173aa492188b7806d5d95607acea11b107347b45c2ebaabc51fcd67ab9fbf7819b8680caf4a9c94499c200938f5cf01cfe26b7a30"
}