Use of iat, exp, and nbf in long lived attestations

The discussion at PR #524 revealed different opinions in the WG about how the iat, exp, and nbf JWT claims shall be used in long lived attestations (e.g. for verifier authentication or wallet attestation). The options discussed include:

• nbf is mandatory and used to determine when the attestation starts to be valid
• iat is mandatory and represents the time when the attestation starts to be valid
• exp is mandatory and sufficient to govern the lifetime

Please share your opinion on the best way to use the before mentioned claims (including which claims should be optional and which should be mandatory).

‌