Other Issuer Signature Mechanisms using https scheme #377
Description
Section 3.5 states that When the value of the iss claim of the Issuer-signed JWT is an HTTPS URI, the recipient obtains the public key using the keys from JWT VC Issuer Metadata.
However, it also states that "separate specifications or ecosystem regulations may define additional Issuer Signature Mechanisms."
The additional creates potential ambiguity:
- Does the HTTPS scheme exclusively trigger JWT VC Issuer Metadata?
- Or can additional mechanisms also be defined that use HTTPS URIs as iss values?
It makes the JWT VC Issuer Metadata, that is defined as optional for this spec, de facto mandatory in many, if not most, cases because when the fairly popularhttps scheme is used, it is mandatory. It eliminates other options like OpenID Federation or any other mechanism that uses the https scheme.
Assuming that it wasn't the intention, I'd like to propose to clarify that by adding Additional mechanisms MAY use the HTTPS scheme for iss values. or something along these lines to the paragraph below the bullet points.