Carlos, sorry to be slow in responding—I have been traveling the past few days.
First, RE your question of whether a DDO can be updated—yes, absolutely, in fact it is one of the requirements of the DID specification that an identity owner (or a guardian) must always be able to update the DDO for a DID registered to that owner (see section 7.3).
Secondly, the question you asked about the “right to be forgotten” is actually a very important one that helped guide the development of DID and DDO architecture. The reason is that, as you point out, distributed ledgers are immutable. So if you put any PII (personally-identifiable information) into a ledger—even encrypted—it can’t be “forgotten”.
The solution comes down to this: do not put any PII into a public ledger. Rather a DDO should only contain public data that describes how you can interact with an identity owner without revealing any private data about the identity owner. That’s why the DID spec for DDOs include public keys (for securing communications) and service endpoints (for interaction) but no PII.
Thus any PII or other private data that an identity owner may choose to associated with a DID should be: a) stored someplace off-ledger (e.g., by a Sovrin app or agent), and b) shared peer-to-peer with relying parties under a link contract that gives the identity owner the right to assert the right for that private data to be forgotten
I should note that, with this design, Sovrin infrastructure is in fact ideal for implementing the right to be forgotten because a signed link contract stored with a Sovrin agent gives an identity owner his/her own tool for exercising that right at any time. Rather than the identity owner having to: a) navigate to the correct page of relying party’s website (or worse, call a call center), b) re-authenticate themselves to the relying party and c) identify the data to be forgotten, the identity owner can simply instruct his/her Sovrin agent to send a digitally signed “forget me” request to the relying party. That request will include the link contract under which the private data was shared (which includes the identity owner’s DID). Once the relying party verifies the digital signature on the forget me request, the relying party will have everything it needs to delete the private data and returned a signed acknowledgement that it did so back to the identity owner, plus the audit trail necessary to prove compliance to a regulatory body.
How’s that for Privacy by Design?
Lastly, you asked what if an identity owner wants to completely disable and revoke a DID. Once again this is a requirement of the DID spec—see section 7.4. Every DID method (definition of how DIDs are implemented on a specific distributed ledger) MUST define how to do this. With regard to the Sovrin DID method, your guess is exactly right: the identity owner simply points the DID to a null DDO. That’s “DID death”.