Add language that explicitly deters IDPs (Facebook, Google, MSFT etc.) from abusing subdomain-based IDs

[csuwildcat]

I feel we should add language to the spec that specifically warns against and deters use of did:web with subdomains in ways that are not in keeping with the purpose if DIDs. For example: a large IDP may try to create subdomains on its centralized IDP service domain and 'issue' DIDs to users/customers, which would essentially lock their DID to that provider, the exact opposite of what DIDs were designed to do.

[gribneau]

I am not sure I fully understand the concern.

Let's examine a use case involving an email service idpmail.com with users Alice and Bob. If I am reading the above correctly, it would be abusive for this IDP to resolve:

did:web:alice.idpmail.com and did:web:bob.idpmail.com

to enable Alice and Bob to expose public keys so that they could send, receive, verify or decrypt signed or encrypted email.

Similarly, user Charlie with a private server could participate by exposing: did:web:charlie.privatemail.com

Why would this be abusive?

[OR13]

I recommend closing this, I don't see this an issue, in fact it would be awesome to see more adoption by larger tech companies of did:web... for example, github already supports something very similar....

https://github.com/OR13.gpg

wouldn't it be better if they did this instead?

did:web:github:OR13 :)

[gribneau]

I agree with closing the issue, and I agree that it would be great if github embraced DID:WEB, which now does what they need.

:)

[OR13]

I am currently squatting on did:github, would love to hand that over to them as well... https://github-did.com/resolver