Constrain id-hub API for status list retrieval

[dwight-holman]

I think we need add something to the effect of

If the credentialStatus property refers to an ID Hub, the ID Hub MUST respond to unsigned, unencrypted message as described in Section 9.1.1 of the id-hub spec with a status code of 200 and a single JWT encoded credential in the entries, as described in section 9.2.

I'm not sure if verifiers need or want to implement permissions grants and whatnot given that status list credentials should be world readable, and authenticating as a particular verifier could have privacy concerns.

[dwight-holman]

In addition to the requirements of section 9.1.1, the POST must include the header "content-type: application/json"

[dwight-holman]

Note that the expected format of the "entries" is Commit or Write messages, so the "data" field is required and contains the encoded credential.

[dtmcg]

@Sakurann to clarify and add to profile for client implementers

[jischr]

@dwight-holman to make a PR instead