Someone messages you on SimpleX claiming to be a person you know from Nostr. Or you get a DM from an ephemeral account claiming to be a well-known developer. Any anonymous channel where one person claims a known identity and the other has no way to verify. This is the problem, and every previous attempt to solve it has failed for the same reason: the trust graph did not exist when you needed it.
PGP's Web of Trust was supposed to provide that graph. Phil Zimmermann designed it in 1992 so anyone could verify anyone else through a chain of cryptographic signatures: Alice trusts Bob, Bob signed Carol's key, Alice extends confidence to Carol. The problem was ceremony. Key signing parties, government ID inspections, fingerprint comparisons read aloud. Alma Whitten and JD Tygar's 1999 study "Why Johnny Can't Encrypt" gave twenty participants ninety minutes to send a single encrypted email, and only a third managed it. The trust graph never grew beyond the few dozen cryptography enthusiasts in each city who would have trusted each other anyway.
Keybase automated the ceremony in 2014 by linking cryptographic proofs to social media accounts you already had. It worked, until Zoom acquired the company in 2020 and the product decayed. A single company owned the infrastructure, and when that company lost interest, the verification tool died with it.
Nostr built the missing piece without trying. Every note you publish is a JSON object signed by your secp256k1 private key. When you follow someone, your client publishes a kind 3 event: a signed list of every public key you follow. You did this to curate a feed. The trust attestation was a side effect. Hundreds of thousands of users doing the same thing built a dense trust graph from authentic social signals, the graph that PGP demanded through ceremony and never got. When you encounter an unfamiliar identity, you can already check: do people I follow also follow this person, and how many hops away?
That graph is the prerequisite every previous system lacked. With it, a simple app can solve the anonymous channel problem.
The app has two roles: the Challenger and the Witness.
The Challenger opens the app and generates a challenge: a random nonce paired with an ephemeral public key, plus the relay URLs where the Challenger will be listening. The app encodes these into a single string that the Challenger copies into the anonymous channel.
The Witness copies the challenge into their app. The app signs a verification event (containing the nonce and a timestamp) with the Witness's Nostr private key, a Schnorr signature that only the holder of that nsec could produce. It then gift-wraps this signed event for the Challenger's ephemeral pubkey using NIP-59 and publishes it to the specified relays. Relay operators see an event from a random throwaway key addressed to a one-time pubkey that will never be used again. No metadata about the Witness leaks to the relay, and no signed data passes through the anonymous channel.
The Challenger's app, already subscribed for events to that ephemeral key, receives and decrypts the response automatically. It verifies the signature against the claimed public key (binary: valid or not, the mathematics is the proof) and queries the Challenger's web of trust. Two copy-paste operations, one per person. The relay handles the return trip.
The result goes beyond "this anonymous entity controls a Nostr key." The app shows "this key is two hops from you in your follow graph, followed by twelve people you follow, with a NIP-05 identifier linked to a known domain, and a posting history stretching back two years." A single challenge-response bridges the gap from zero-knowledge anonymity to full social identity.
The ephemeral keypair is discarded after verification. Even if the Challenger's real Nostr keys are later compromised, this particular exchange remains unrecoverable. The timestamp prevents replay, and the nonce ensures each challenge is unique.
For channels where neither party can reach Nostr relays, the protocol falls back to pure copy-paste: the Witness sends the signed response directly through the anonymous channel. Any medium that can carry text can carry the verification. Relay transport is the preferred mode; copy-paste is the universal fallback.
The Witness must choose to sign the challenge and nobody can compel it. Compare this to KYC extraction, where a third party compels identification as a precondition of participation: one system takes identity by force while the other lets the Witness offer proof freely.
One caveat deserves explicit treatment. When the Witness proves their identity to the Challenger, that disclosure cannot be undone. Any tool that performs this function should make the consequence visible: you are about to link your anonymous presence to your known identity in this person's mind.
The implementation requires no new cryptography. Nostr's NIP-42 and NIP-98 already use challenge-response signing for relay and HTTP authentication. NIP-59 gift wrapping is production-tested in every client that supports private DMs. The verification app combines these existing primitives into a peer-to-peer protocol across any channel. A dedicated event kind for verification challenges would contain the nonce alongside a timestamp and optional channel identifier. Every operation uses infrastructure that exists today.
Signal's safety number verification offers a useful contrast. A study found that only fourteen percent of participants figured out how to perform this ceremony without assistance. Even with prior instruction, the success rate reached only seventy-nine percent. The challenge-response app described here does not solve the adoption problem. Nothing solves that problem. But it gives the motivated minority a tool that works across every channel while using trust infrastructure that already exists.
Nostr, through the accumulated choices of hundreds of thousands of users following each other for entirely ordinary reasons, built the web of trust that PGP proposed in 1992 and that no subsequent system managed to construct through deliberate effort. The components are ready. Someone should build this.