Add expires and revoked fields to VerificationMethod (go-did)

[stevenvegt]

Parent PRD

#4079

What to build

Add Expires and Revoked fields to the VerificationMethod struct in the nuts-foundation/go-did library. These fields allow DID resolvers to annotate keys with temporal validity information (certificate expiry, revocation status), which key resolvers then use to determine if a key was valid at a given reference time (PSA 10.4.3).

• Expires: optional timestamp indicating when the key expires (e.g., certificate notAfter)
• Revoked: optional timestamp indicating when the key was revoked (e.g., CRL revocation date)

This aligns with the PSA spec's layered validation model where DID resolution enriches the DID document with key metadata, and key resolution uses that metadata to make time-based validity decisions.

Acceptance criteria

• VerificationMethod struct in go-did has an Expires field (optional timestamp)
• VerificationMethod struct in go-did has a Revoked field (optional timestamp)
• Fields serialize/deserialize correctly in JSON
• Existing tests pass, no breaking changes to the VerificationMethod API
• nuts-node dependency on go-did is updated to the new version

Blocked by

None — can start immediately.

User stories addressed

• User story 6: key validity checked at credential's issuance time
• User story 8: layered validation model (DID resolution → key resolution)