there's one major thing that concerns me, though (as far as i understand, i may be wrong, please correct me if i am) so there's such thing as "PLC Server" (https://plc.directory). which is basically a global thing responsible for resolving their `did:plc` identifiers to pds and <i>user's public keys</i>. a *centralized* thing in a federated network, yep and im not really a security expert, but aren't we putting too much trust on that plc server? like, what if an attacker happened to take over that server? there's literally nothing stopping them from changing the public key in the database like yeah, there are publicly available signed audit logs (which are basically a per-did blockchain), but how can a third party know they were not tampered with too? the only (kinda) solution i could think of is to continuously validate changes to the directory and reject improperly signed ones. and i haven't found the reference implementation doing that.