> Also: don't use ECC signatures as MACs. Signatures are not MACs.

Could you explain more? What are the downsides of a signature vs. a MAC here?

He says "this is complete nonsense" specifically about the statement quoted. Not about the whole report.

They're saying that about a concrete claim the paper makes that they concede in the next paragraph.

I don't want to speak for Will, but from my read he is specifically highlighting that "The event protocol that drives the system doesn't authenticate public keys" is the nonsense, because the protocol specifies that clients validate signatures on events using the public keys.

This makes sense in nostr, because anyone at any point can mint new public key and start posting events and other people are free to start following them, from which point they can ensure that the new events are coming from the person holding the same private key. And this is what relays and clients do.