Joseph Heenan

I don't think it is all working groups, e.g. FAPI does not seem to: https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html

I'd suggest closing this. We have editor's draft in the title and have published at least one new revision successfully since. I have a script that automatically updates the title...

I'm not sure it's really a security consideration, perhaps more an implementation consideration. I'm not sure I see a strong reason to add this particular one unless we think it's...

I think we also need to make clear that the `credential_issuer` value needs to be checked that it matches the credential_issuer value that was used to form url the file...

I reviewed this issue given we've removed the batch endpoint now, and I believe the suggestion Kristina made in her last comment is still relevant to the credential endpoint when...

Given there's a decision not to address this in SD-JWT ( https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/329 ) I don't see that there's anything we can do in the VCI spec so I think we...

Closing as per previous comment as there's been no objections. Feel free to comment if you see a way forward and we can reopen.

I think having OID4VCI require pre-registration of wallets using DCR at the AS would overly limit adoption of the spec and create some fragility. It also would not relieve the...

I have no issue with adding some non-normative text/guidance. I agree that the attestation draft (whilst very useful) does not currently appear to solve the problem of initially registering the...

> But does DCR solve that either? Both entities need to be in some trust list or similar mechanism and then client authentication could be sufficient It can do, e.g....