Now that there’s Blockstack Auth, there’s the possibility for services (i.e. this forum) to use Blockstack IDs as identifier. When taking non-serverless (legacy) services and linking Blockstack IDs to that, you have user data (i.e. private messages) that’s still under control of that service but linked to a Blockstack ID. But Blockstack IDs can expire and another user can pick it up (which could get even a bigger problem with crawlers etc).
Therefore the question raises what should happen with the linked data and I’d like to kick off a discussion about this.
What happens with user data when someone picks up my ID after I forgot to renew it (or when I intentionally don’t renew it)?
Should services delete my data when I revoke my ID?
Do I lose my all my account data when I forget to renew my ID?
Is it the duty of the service that uses Blockstack Auth to handle this accordingly?
The way Blockstack Auth currently works, is that it provides the calling application with a unique decentralized identifier. (DID) This identifier is a bitcoin address.
It can optionally provide a verified Blockstack ID.
One way to solve this problems is to have a unique identifier tied to the lifecycle of a name. The identifier is created when the name is registered and follows the name through transfers to different addresses until it is revoked or perhaps transferred with a special command that indicates it is changing ownership.