[stebalien]

I control my domain name and its DNS but I don't have the keys used to sign my DID. I followed the instructions here: https://bsky.social/about/blog/4-28-2023-domain-handle-tutor...

From my reading of your blog post, it sounds like the DID is the ultimate authority and not my domain name, which sounds like a pretty big problem for user portability.

[danabramov]

Right, I see. You can get a key that overrides your PDS if you're worried about your PDS going rogue. See https://www.da.vidbuchanan.co.uk/blog/adversarial-pds-migrat... and https://whtwnd.com/bnewbold.net/3lj7jmt2ct72r. This is more complicated than I'd like it to be.

[stebalien]

Ah, that's exactly what I was looking for. Thanks!

I guess I get why it works that way (avoids some issues with domain expiration) but... honestly, I'd rather have my domain name in control. Even after registering my own rotation key, I'm still at the mercy of the centralized PLC directory.

Unfortunately, it looks like it's not possible to migrate to a web DID without starting over.

[Spivak]

So the reason to have the DID in control is for users that say sign up for Bluesky and have a bluesky handle which is a domain they don't control and want to move to a different provider without breaking everything. If your handle was the thing in control then you must own a domain to own your account and move providers. That kinds of defeats the purpose of migratable PDSs for the "rest of us" use case.

[danabramov]

Yeah, you can't migrate a DID. You could bulk-import the content (and even fix internal links within it) but that wouldn't change the links pointing at the old DID.