Free text in description.

[Sakurann]

There are certain risks associated with free text, some of which are elaborated in threads like these (though not entirely) [https://github.com/openid/OpenID4VP/pull/220#discussion_r1696310253(https://github.com/openid/OpenID4VP/pull/220#discussion_r1696310253)

I probably won't be able to convince the authors in removing the free text description property from the metadata, which is defined as A human-readable description for the type, intended for developers reading the JSON document. So at least would be great if security considerations for free text can be added. Thanks.

[danielfett]

I'm not sure... While the risk is real, so are many other risks. It's 2024 and developers should have learned not to trust information. We also don't consider warning people of SQL injection attacks via JSON metadata files. But maybe we should?

Anyway and nonetheless, to see what it would look like, I drafted a PR: https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/262