web:verify

Summary

web:verify identifies a public backing claim for a web domain by the signing Chronicle pubkey.

Subject

subject MUST be of type domain_name.

Motivation

A domain is one of the main public identity surfaces on the web. web:verify lets clients connect that domain to a specific Chronicle pubkey with public credibility at stake.

Clients may use web:verify as evidence that the signing pubkey stands behind that domain and is willing to stake its reputation on that claim.

Proof of control

To strengthen a web:verify claim, the domain owner SHOULD serve the same pubkey at:

https://<domain>/.well-known/chronicle-pubkey

The response body SHOULD be a canonical schnorr_pubkey, optionally followed by a trailing newline.

If the pubkey served at that path matches the pubkey that signed the web:verify event, clients may treat that as evidence that the domain is controlled by that pubkey.

If the domain does not serve that path, or serves a different pubkey, the web:verify event remains a public backing claim but without this additional proof of control.

Interpretation

Multiple pubkeys may emit web:verify for the same domain. This kind does not resolve competing claims on its own.

A matching /.well-known/chronicle-pubkey response is stronger evidence than an unmatched competing claim. When no matching proof of control is present, clients may weigh competing claims by the credibility of the specific web:verify events and of the pubkeys that signed them.