Paul Bastian

This is also in contradiction to [OpenID4VCI](https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#section-13.2)?

1. if there is a "cnf"-> always send KB, if there is none-> don't send it 2. make it very uncomplicated, just don't use the nonce and send the SD-JWT...

My fear is that if the specification becomes too broad, it will lessen the interoperability between the profiles.

@jruizaranguren Sander mentioned you may already use `direct_post` mode. Can you further elaborate where these limitations come from?

A specification should give a complete working example, if it's needed to provide a public key, that's fine for me. We could have an encrypted auth response that matches to...