Open morgatron opened 1 year ago
Hi @morgatron, great questions. In general, I don't think the DID mechanism is really meant to be used for delegation of keys /by itself/. (I know there's some inheritance/delegation hierarchy in DID documents via the controller
property, but its semantics haven't really been specified or explored so far).
I think capabilities (such as zCaps), or, failing that, Verifiable Credentials, would be a better way to do this.
I'm wondering if it's wise to do the following:
Bob, who controls
bobsdomain.com
, wishes to allow Alice to issue VCs on his behalf. Alice controlsalicesdomain.com
To allow this, in his DID document Bob puts
did:alicesdomain.com:keysForBob#key1
as a verification method. If at some point Bob wants to change the arrangement he can change his did document.I understand this is valid from the VC spec, but the key rotation/revocation prospects seem a bit dicey among other things. Is there a better way?
I note that Bob could also simply put one of Alice's public keys straight up in his DID document. I don't think this makes anything better though, and it seems a little less honest.