Are did:webs that redirect another domain's did:web ok?

[morgatron]

I'm wondering if it's wise to do the following:

Bob, who controls bobsdomain.com, wishes to allow Alice to issue VCs on his behalf. Alice controls alicesdomain.com

To allow this, in his DID document Bob puts did:alicesdomain.com:keysForBob#key1 as a verification method. If at some point Bob wants to change the arrangement he can change his did document.

I understand this is valid from the VC spec, but the key rotation/revocation prospects seem a bit dicey among other things. Is there a better way?

I note that Bob could also simply put one of Alice's public keys straight up in his DID document. I don't think this makes anything better though, and it seems a little less honest.

[dmitrizagidulin]

Hi @morgatron, great questions. In general, I don't think the DID mechanism is really meant to be used for delegation of keys /by itself/. (I know there's some inheritance/delegation hierarchy in DID documents via the controller property, but its semantics haven't really been specified or explored so far).
I think capabilities (such as zCaps), or, failing that, Verifiable Credentials, would be a better way to do this.