What happens if someone takes over an expired domain linked to a self-hosted PDS?

[fwdmo]

Let’s imagine Alice runs a self-hosted personal data server (PDS) at pds.whatever.com, and her account (using a did:plc identifier) is tied to this domain. If Alice stops using her account for a long time and forgets to renew her domain, someone else could buy whatever.com after it expires.

If Alice’s DID keys are safe, can the attacker still do harmful things (like post fake data) ever for a short time?

[DavidBuchanan314]

The worst thing the attacker could do is announce that alice's account has been deleted (via an #account) firehose event, since these events are not authenticated.

This ought to be temporary however, since alice can update her DID document to point to a new PDS, which can broadcast a new #account event from there.

[bnewbold]

for completeness, could set any account state (takedown, deactivated, deleted, suspended), and this could result in content which had been cached and available in the network getting pulled down. this might make it harder to recover the account if there wasn't a "local" (on-device, or offline) backup of the account repo (CAR file).

[bnewbold]

David's reply hits the main question for most accounts. Public repos are signed, and somebody getting the PDS domain should not be able to forge posts or other records without the account's cryptographic keys. Hosted blobs (eg, images) are content-addressed and can't be manipulated without detection.

A related case where this can be a problem is did:web identifiers: if folks use a did:web, and then at a later time let the domain expire, somebody can re-register the domain and get full account control, because they control the DID document and can set their own cryptographic keys for the identity.