DID method strategy for AI agent audit trails (ADR-0007) — seeking input

[ojongerius]

We're deciding which DID methods the Agent Receipts protocol should support — and how. This is the first forward-looking ADR, so we're opening it as a Discussion before merging.

Where we are today: The spec requires DIDs for agent (issuer.id) and principal identity, but v0.1 uses placeholder methods (did:agent:, did:user:) with no resolution mechanism. Verifiers need out-of-band key exchange. This works for local dev but not for production.

The leading candidate (details in #164):

1. did:key as default — zero-config, self-certifying, no infrastructure. The public key is the identifier.
2. did:web recommended for production — domain-anchored identity, key rotation via DID Document updates, human-readable.
3. Pluggable resolver interface — SDKs expose a resolver interface for any other DID method.

In scope for this discussion: which DID method(s) the protocol should support, how key rotation interacts with hash-chained credentials, what minimum interoperability baseline conformant implementations should meet.

Out of scope: whether to use DIDs at all (that decision is reflected in v0.1 of the spec and ADR-0003), whether to use W3C Verifiable Credentials as the envelope (ADR-0003).

What we'd like input on:

• Is did:web the right production-tier recommendation for agent identity? Its DNS dependency is a feature (organizational anchoring) and a liability (centralized trust, domain expiry).
• Should did:tdw (Trust DID Web) be considered instead? It adds verifiable history but is newer.
• How should key rotation interact with hash-chained receipt chains? Old receipts must remain verifiable after rotation.
• Is did:peer useful for agent-to-agent delegation scenarios?
• What's the minimum set of DID methods a conformant implementation should support?

Context: Agent Receipts is an open protocol for cryptographically signed audit trails of AI agent actions. Each receipt is a W3C Verifiable Credential signed with Ed25519 and hash-chained. We have three SDK implementations (Go, Python, TypeScript). The full spec is at spec/spec/agent-receipt-spec-v0.1.md.

The ADR itself: docs/adr/0007-did-method-strategy.md (merged in #164)