Web services may choose to "bind" profile archives to user accounts. An example of this is being planned in Hashbase: by reading profile dats, we can use the same username and avatar as they use with their Dat applications.
However, to stop users' identities from being stolen, we at Hashbase need to verify ownership of an archive before binding it to the profile. To accomplish this, we use "proofs."
Proofs are a relatively simple concept. They are a way to prove that the connecting user can write to an archive.
To create a proof, the service creates an unguessable token. The token needs to be wrapped in a data format to avoid giving away signing-control of your key. The token may also be signed by the service, but that's not necessary.
The service then asks the browser to write the token to a pre-specified path under /.proofs. By writing the token, then syncing the update to the service, the browser proves it has authoring control of the archive.
A service which has proven ownership of a profile archive may want to then publish that information. It might provide an API to lookup profile archives by username.
An archive's URL is a public key which can be used for encryption. A user lookup service is, therefore, a user key distribution service. Anybody consuming the service must be confident that the service is telling the truth.
To improve auditability, services could publish its profile archive bindings on a Dat archive. Because Dat archive histories are flattened merkle trees, the network of recipients can ensure that one definitive dataset is distributed. However, this solution should be approached with care and explored heavily before deployment.