Document/user guide on determining the legitimacy of a DID-party

[decentralgabe]

There's a gap not covered by the specification(s): how do I know someone is who they claim they are?

Here are some potential strategies:

1. By credentials they are issued, you can get a sense of who they are (e.g. a business license from a government)
2. Tie to an existing trust establishment (e.g. using a ./well-known file to tie control to a website)
3. A reputation system, which may include attestations and/or proof by others

I do not believe this needs to be an independent specification, though it may be worth coming up with a guiding document outlining possible approaches for determining the authenticity of a DID-party.

[decentralgabe]

Alternative: a specification or formal manner for a DID-party to say "this is how you should trust me" -- and they can surface any of the above.