Requirements around DID URLs

[TimoGlastra]

There's a few requirements around DID URLs that are not clear enough, or not compatible with requirements from OID4VCI. I want to make a few suggestions for DIIP v5.

Credential cnf.kid

There was some confusion whether the kid must be the DID or an absolute DID URL. We agreed on absolute DID URL.

The current text defines:

Requirement: DIIP-compliant implementations MUST support a cnf holder binding claim in the [[ref: Issuer]]'s jwt and it MUST include a kid value from the authentication Verification Method relationship of the respective [[ref: Holder]]'s [[ref: DID]] document.

Maybe we can update this to include an example:

Requirement: DIIP-compliant implementations MUST support a cnf holder binding claim in the [[ref: Issuer]]'s jwt and it MUST include a kid value from the authentication Verification Method relationship of the respective [[ref: Holder]]'s [[ref: DID]] document.. For example did:web:example.com#123.

Credential jwt proof iss

The spec currently defines that the iss value in a JWT proof in a credential request MUST be a did:

Requirement: DIIP-compliant implementations MUST support the jwt proof type with a [[ref: did:jwk]] or [[ref: did:web]] as the iss value and use a kid from the assertionMethod Verification Method relationship of the respective [[ref: Issuer]]'s [[ref: DID]] document.

However this is not compatible with the requirement from OID4VCI that the iss value MUST be the client_id (in case of authorization code flow).

I think we should update the requirement to not require the iss value to a be DID, and instead require the kid value to be an absolute DID URL. In case of authorization code flow the iss MUST be then be the client ID, in anonymous cases, the iss doesn't have to be any value