Validate signatures/proofs of DID Document

[peacekeeper]

If a DID Document retrieved from a target system contains a signature or other proof, specify how it gets validated during the DID Resolution process.

Note: This is different from the topic that a DID Resolver could itself also add a signature or other proof to the result of the DID Resolution process.

See also https://github.com/w3c-ccg/did-spec/pull/66.

[mwherman2000]

1. Re: "If a DID Document retrieved from a target system contains a signature or other proof...". NOTE: This is an important statement because it admits the use case where a DID Document doesn't contain a signature or other proof.
2. Question: Is signature/proof validation technically part of the role of a Resolver? ...or should it be part of the role of a higher-level Resolver "client/driver library"?
3. Question (closely related to 2.): If signature/proof validation is part of the Resolver role, how is a middle-tier piece of software (e.g. a service) expected to be able to read back DID Documents that either don't have a signature/proof or the signature/proof in invalid? ...this is a valid real world use case from the perspective of DID/Ledger monitoring and management.

[vitorpamplona]

What is the latest on this one? I am trying to create a signed DID:WEB and I have no idea where to put the "proof" section. Looks like it went from being in the DIDDocument to the DID:Method to the DID Resolution Result, but the DID Resolution Result spec doesn't have any mention of a proof section. I also don't really get where to store the proof section if it should not be inside the DID Document itself. Is there another file that the resolver hits to download the proof itself to put into the DID Resolution Result? Or should it be transferred over the HTTP headers of the did.json URL?