@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be
so if you look at s3.amazonaws.com, the xrpc would be https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHandle. which funny enough returns a did that's equal to Chaz Schlarp's
so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny
@jonty @atatassault
you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work
what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk