Currently the spec says that A non-exhaustive list of valid (credential_binding_methods_supported) values defined by this specification are `did`, `mso`, and `none`.
@Giuseppe De Marco clarified implementations also need `jwk` and `x5c`, which I agree should be added.
a signed JWT is a self consistent and verifiable artifact that may envelope a jwk with a x5c/x5c.
I'd consider jwt and jwk only, I’d remove x5c but nothing in contrary to have it anyway
A related issue is how is the issuer, which uses X.509 PKCs to sign the issued VCs, is identified in the issuer field of the VC that is transferred to the iss field of the JWT. I suspect that this will be the RDN in the subject field of the issuer’s PKC in order to bind the PKC and VC together. It almost certainly wont be a DID. The W3C VC DM requires this to be a URI. So the iss/issuer field should be the https URL of the issuer, and the PKC will be a domain validated PKC proving that the issuer owns the domain name in the subject field.
Does our current spec support this? I think it would be very helpful if the implementation section could document this.
resolved with a merged PR
PR #292