There's no reason to make "u" mandatory.  I dont propose dropping it, just loosening it for the use case where there's no well defined domain.  ie blossom and similar things.  This was always the intent.

A bit of text would allow the blossom use case to happen with content addressable files, and also the domain specific use case.

This is a bit bigger than nostr.  The whole web needs such an auth scheme.  Thanks for the feedback though, definitely interesting and will try and take it into account.

Hopefully we can standardize this at the w3c level, so that more people can use it.  There's tons of communities that would benefit from single-sign-on, but do not realize it's working.  Similarly its very common to want to upload a blob on a server, via a user, and mirror it in many places, maybe even with payments.