Issuer metadata pagination / limiting the number of credential_configurations_supported being returned

[Sakurann]

trafficstars

If the Issuer has a large number of credentials it supports (thousands or millions), and if it returns all of them to the wallet when the wallet fetches the metadata, the wallet might fail. I don't think the standard will set the upper limit to the credentials to be returned as it is the implementation detail (meaning each implementation is free to set the limit that it believes is reasonable), but we should probably add security considerations in the specification that issuers are recommended to add this limit.

[jogu]

I'm not sure it's really a security consideration, perhaps more an implementation consideration.

I'm not sure I see a strong reason to add this particular one unless we think it's particularly likely to be an issue for some reason. There are all sorts of places in OAuth2 where there's an implicit "be sensible". For example we also don't say that credential_identifiers shouldn't be 1 gigabyte in size.