Paul Bastian

I think that the current design of `claims` in Authorization Details still is confusing and improvable, but I would not suggest to remove it any longer. Maybe better to open...

I don't think there is much benefit, as the credential endpoint is directly connected to the credential issuer base URL in the issuer metadata, but I see the point. Reading...

So after reading this long issue, I want to share my views: - I agree that nonce is preferred over jti variation, which matches my initial drafts that used the...

The actual usage of attestation based client authentication how to do this is currently described in HAIP

I fixed this within this commit: https://github.com/openid/OpenID4VCI/pull/389/commits/fcf58f162bddc76a71525a3aa0559185979867ed

Yes, the LoA should probably be attributed to a specific credential, that means it should probably go to credential configuration

> is this partially? fully? addressed by #389 ? Agree, added closing reference to #389

Related to #91 and #93 Revoking is up to the issuer and not mentioned anywhere in OpenID4VCI. I guess the simplest and safest solution for credential_instances/copies is to throw away...

I think that Attestation-based Client Authentication is our intended solutions for this: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ However, it might be a little to complex for open/low-assurance wallets

I imagine issuers may rely on trust lists for Wallet providers that contain client_ids. Is that an indirect form of pre-registration?