Constrain id-hub API for status list retrieval

[dwight-holman]

trafficstars

I think we need add something to the effect of

If the credentialStatus property refers to an ID Hub, the ID Hub MUST respond to unsigned, unencrypted message as described in Section 9.1.1 of the id-hub spec with a status code of 200 and a single JWT encoded credential in the entries, as described in section 9.2.

I'm not sure if verifiers need or want to implement permissions grants and whatnot given that status list credentials should be world readable, and authenticating as a particular verifier could have privacy concerns.