Even though it is not a direct concern of the DID method specification but rather of a signing envelope profile, it is beneficial to provide strong guidance since there is only one obvious place for the certificate chain to go, both in COSE and JWS.
@scouten-adobe to revise section 11 (DID resolution options) to tie in the understanding that the X.509 chain comes from the signature envelope as described in this issue.
Even though it is not a direct concern of the DID method specification but rather of a signing envelope profile, it is beneficial to provide strong guidance since there is only one obvious place for the certificate chain to go, both in COSE and JWS.
For COSE, it would be the x5chain (label 33) header parameter, see https://www.iana.org/assignments/cose/cose.xhtml#header-parameters.
For JWS, it would be the x5c header parameter, see https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters.
This is in line with the DID resolution spec which defines a draft HTTP binding and uses standard HTTP headers where available for resolution options.
Ideally, in the future, there is a single JWS/COSE binding specification for DID-issued content, but that will take a while.
Migrated from https://github.com/microsoft/did-x509/issues/4.