[floober]

> It insists on having a chain of updates from a single user, which feels unnecessary to me and something that adds bloat and rigidity to the thing — each server/user needs to store all the chain of posts to be sure the new one is valid. Why? (Maybe they have a good reason);

I assume this is so a relay can't manipulate your messaging by picking and choosing which messages to forward; they'd have to forward messages [0-N].

Edit:

> sig: <64-bytes signature of the sha256 hash of the serialized event data, which is the same as the "id" field>

Signed hash rather than a mac - might be vulnerable to an extension attack

[sour-taste]

I'm not associated with this project in any way, but your comment got me curious. It seems that since each message is signed with the private key even if you were able to perform an extension attack (which I agree it seems like you would be able to) you wouldn't be able to sign the message so it should be rejected by the relay. The signature is based on the message ID, which itself is the SHA256 of the rest of the message so by doing an extension you necessarily change the SHA256, which should invalidate the signature.

But I'm an idiot so who knows.