Security Issue with untrusted Issuer Metadata

[paulbastian]

I see a potential security issue as some parameters in the Credential Issuer Metadata may be self-asserted, in particular: display.name, credentials_supported.display.name and credentials_supported.display.logo. These values are today taken by Wallets and shown to the user. This might give a false sense of security, as attackers easily can create a fake issuer and fake their identity with this metadata.

The security issue originates in my opinion to the fact that OpenID4vc does not mandate specific trust mechanisms similar as being open to any credential format. While this is a strength in general, it is not clear enough to me from the security and privacy considerations that this gap MUST be filled by ecosystems relying on OpenID4vc.

Proposal: Add a section about the significance of an underlying trust framework ans what resources of the OpenID4VCI protocol must rely on it, i.e. which things must be protected by that trust mechanisms.

Same applies to OpenID4VP probably, but I didn't cross check the considerations section there.