Verification of alsoKnownAs which is an URL, not a DID from Bob Wyman on 2021-09-01 (public-did-wg@w3.org from September 2021)

From: Bob Wyman <bob@wyman.us>
Date: Wed, 1 Sep 2021 16:03:19 -0400
To: public-did-wg@w3.org
Message-ID: <CAA1s49WvqBzAuv7Pj3mTerggwfaqELqVkUo3N3BmSJQynbtPxA@mail.gmail.com>

The DID V1. spec <https://www.w3.org/TR/did-core/> says:

> it is strongly advised that a requesting party obtain independent
> verification of an alsoKnownAs assertion.

Given an alsoKnownAs value which is an URL, not a DID, (i.e. something
like alsoKnownAs":
["https://myblog.example/"]), what mechanisms exist to do such an
"independent verification?"

I am concerned about the possibility that an alsoKnownAs could be used to
"impersonate," without authorization, the controller of some web resource
that has no associated DID document. Is this concern misplaced?

bob wyman

Received on Wednesday, 1 September 2021 20:03:42 UTC