either define or remove the term "ecosystem(s)" #318
Description
The term "ecosystem" has been used several times as a text subject for requirements and recommendations. Although, the term has not been defined in this document nor relevant documents, and it would confuse the readers who are targeted as implementers.
Since neither OID4VCI nor OID4VP define "ecosystem", it might be better to define it as something such as "bodies that set guidance for the implementers" or remove the texts where "ecosystem" is used as a text subject for requirements in this document.
Some of the texts where "ecosystem(s)" is used as subjects for requirements and recommendations.
- OpenID for Verifiable Credential Issuance
When implementing OpenID for Verifiable Credential Issuance, both the Wallet and the Credential Issuer:
- MUST support the authorization code flow.
- MUST support at least one of the following Credential Format Profiles defined in Section 6: IETF SD-JWT VC or ISO mdoc. Ecosystems SHOULD clearly indicate which of these formats, IETF SD-JWT VC, ISO mdoc, or both, are required to be supported.
4.4.1. Wallet Attestation
Alternatively, ecosystems MAY choose to rely on other Wallet Attestation formats.
4.5.1. Key Attestation
Wallets MUST support key attestations. Ecosystems that desire wallet-issuer interoperability on the level of key attestations SHOULD require Wallets to support the format specified in Annex D of [OIDF.OID4VCI], in combination with the following proof types:
- jwt proof type using key_attestation
- attestation proof type
Alternatively, ecosystems MAY choose to rely on other key attestation formats, meaning they would need to use a proof type other than attestation, define a new proof type, or expand the jwt proof type to support other key attestation formats.
- OpenID for Verifiable Presentations
The following requirements apply to OpenID for Verifiable Presentations, irrespective of the flow and Credential Format:
- The Wallet and Verifier MUST support at least one of the following Credential Format Profiles defined in Section 6: IETF SD-JWT VC or ISO mdoc. Ecosystems SHOULD clearly indicate which of these formats, IETF SD-JWT VC, ISO mdoc, or both, are required to be supported.
Note that while this document does not define profiles for X.509 certificates used in Verifier authentication (e.g., with the x509_hash Client Identifier Prefix), ecosystems are encouraged to select suitable certificate issuing policies and certificate profiles (for example, an mDL ecosystem can use the Reader Authentication Certificate profile defined in Annex B of ISO/IEC 18013-5 with x509_hash), or define new ones if there is a good reason to do so.