> when the same person registered or created all of them
Exactly. How does the service trusting that the address or subdomain as identity know that they refer to the person that created them?
I have surname.tld, I create dave@surname.tld for me and wayne@surname.tld for my brother. If Wayne annoyed me and I was a dick about it I could revoke the name or reconfigure it in order to act in his name maliciously. The same for sub-domains. How does a service wanting to trust the address as ID know which of us has that control? My identity is more strongly linked to my token (address/sub-domain) than Wayne's but there is no way to infer this from the identifying tokens themselves.
Of course a hack at domain registrar level could stiff it all over, so even only using top-level domains isn't perfect, but there is definitely a difference in the level of identity stability guarantee between domain and sub-domain or email address. (So the is a difference between dholms.xyz, and dan@dholms.xyz or dan.dholms.xyz)
Exactly. How does the service trusting that the address or subdomain as identity know that they refer to the person that created them?
I have surname.tld, I create dave@surname.tld for me and wayne@surname.tld for my brother. If Wayne annoyed me and I was a dick about it I could revoke the name or reconfigure it in order to act in his name maliciously. The same for sub-domains. How does a service wanting to trust the address as ID know which of us has that control? My identity is more strongly linked to my token (address/sub-domain) than Wayne's but there is no way to infer this from the identifying tokens themselves.
Of course a hack at domain registrar level could stiff it all over, so even only using top-level domains isn't perfect, but there is definitely a difference in the level of identity stability guarantee between domain and sub-domain or email address. (So the is a difference between dholms.xyz, and dan@dholms.xyz or dan.dholms.xyz)