@dmitri @lucid00 @grishka It sounds like to me you just explained the same thing, but with different nouns in each place?
ie, the DID would be the "address". The bag of keys is the "identity". The DID method/resolver would essentially act as the domain.
Putting a name@domain on top of that is just involving a second layer of indirection and a second authority you must appease. Having two different layers of indirection and external authorities that must be appeased seems unnecessary.
Also, if organization can be convinced to accept a new identity for an address, that is the method of key rotation or revocation.
@cuchaz @lucid00 @grishka So, yes and no. The DID is the identity. The keys are emphatically /not/ the identity. They are interchangeable methods for cryptographically confirming the identity. DNS / URLs are just one method of implementing DIDs, and there are many others.