w3c-ccg
Add language that explicitly deters IDPs (Facebook, Google, MSFT etc.) from abusing subdomain-based IDs
I feel we should add language to the spec that specifically warns against and deters use of did:web with subdomains in ways that are not in keeping with the purpose if DIDs. For example: a large IDP may try to create subdomains on its centralized IDP service domain and 'issue' DIDs to users/customers, which would essentially lock their DID to that provider, the exact opposite of what DIDs were designed to do.
I am not sure I fully understand the concern.
Let's examine a use case involving an email service idpmail.com with users Alice and Bob. If I am reading the above correctly, it would be abusive for this IDP to resolve:
did:web:alice.idpmail.com and
did:web:bob.idpmail.com
to enable Alice and Bob to expose public keys so that they could send, receive, verify or decrypt signed or encrypted email.
Similarly, user Charlie with a private server could participate by exposing:
did:web:charlie.privatemail.com
Why would this be abusive?
I recommend closing this, I don't see this an issue, in fact it would be awesome to see more adoption by larger tech companies of did:web... for example, github already supports something very similar....
https://github.com/OR13.gpg
wouldn't it be better if they did this instead?
did:web:github:OR13 :)
I agree with closing the issue, and I agree that it would be great if github embraced DID:WEB, which now does what they need.
:)
I am currently squatting on did:github, would love to hand that over to them as well... https://github-did.com/resolver