Torsten Lodderstedt

I would rather suggest to have another example (pair) for request for encrypted response and encrypted response.

I think the PR would bring a significant improvement to the VCI spec. However, I would like to point that it is a significant breaking change. Merging this PR now...

I think this feature is useful if the flow started with the issuer. What I would like to understand is, when this URL should be sent in the issuance response....

I'm missing another option to cope with the multiple credential instances option, which is the explicit differentiation between the credential data set (the data the issuer maintains) and the credential...

What is basically missing as of now is a differentiation between the data an issuer has about a user and the different credential instances (with different device keys) with this...

> most recent ideas for Credential Request multiple proofs ask for multiple instances of the same credential?

> a quick note that a proposal that introduces any changes to the token response (like a new top level claim `credential_identifier`) would not work for implementations like Microsoft's that...

we discussed the latest proposal for layering and terminology in the WG call. The layering was well received, the terminology (esp credential dataset) still needs more work. We agreed we...

I would not say it boils down on whether you trust the issuer or not. I think there are subtle difference between different kinds of metadata. Especially the name (`display.name`)...

Identifying the party signing a JWT based on its identity in the protocol (here: `client_id`) is a good practice in my opinion. It allows to further qualify the context (besides...