There is no authentication or authorization mechanism applied to the DID Document, leaving it unprotected from modification by an attacker.

I think this is a duplicate of issue #13?

@rhiaro I propose this issue be closed as either duplicate of #13 or out of scope.

Auditability (being able to check historical changes) is completely different to having a mechanism to decide who is allowed to do those changes in the first place, isn't it (this issue being about the latter)?

@rhiaro ah, I see. In that case, no, the spec cannot dictate that - the auth policies differ for each individual site (much like the update/delete/etc operations).

Agree, this issue should be closed, this will be at the discretion of the web service provider / hosting company... I'll suggest using GitHub / version control, but I don't think its appropriate to call this an "issue" with the method... its actually a "feature" of the method... that comes from its legacy facing interoperability design considerations.