One of the functions of an Agency endpoint is to forward messages to a cloud agent. This provides network anonymity and avoids connection correlation between agents. This forwarding feature could also be provided by a ‘proxy’ agency that hosts no agents, but forwards messages purely for the security it provides as an extra layer.
When I create a new DID, I need to ask my Agency agent to forward inbound messages for that DID to my agent. I can make this request, and perhaps provide payment for such services.
Here’s the question: How does the agency know that I should be receiving those messages? Particularly for Ledgerless DIDs, there may be no public record of the DID, and no way to verify a signature. Also, is this really a problem?
The attack surface is small: Such a false registration would only be useful if a message were actually sent to the Agency for that DID. But what if it did? What if somebody else had already requested forwarding for that DID with intent to deceive or block?
This may entirely be a non-issue. Any thoughts?