editorial: Credential response Encrypted, is it possibile having a nested JWT?

[peppelinux]

The response is an encrypted json and not a Netsted JWT, signed and then encrypted.

Is there any possibility that implementers look for having a Nested JWT? Probably not.

I would give more clarification, as OIDC with the userinfo response (or id token) made:

If the UserInfo Response is signed and/or encrypted, then the Claims are returned in a JWT and the content-type MUST be application/jwt. The response MAY be encrypted without also being signed. If both signing and encryption are requested, the response MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].

@sakimura @selfissued ^

_Originally posted by @peppelinux in https://github.com/openid/OpenID4VCI/pull/136#discussion_r1421476039_

[selfissued]

https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-12.html#name-credential-response already describes unencrypted JSON responses and encrypted JWT responses.

The only reason you might have a nested JWT in my mind would be if the response is signed. But that isn't described in the spec, nor have I heard a request to be able to do so. The credentials themselves, are of course signed.

It would be OK to be 100% clear that for encrypted responses, the JSON response body is the JWT Claims Set. That currently seems to be implied but not explicitly stated.

[peppelinux]

@selfissued you words exactly explain the purpose of this issue that aims to introduce in the current document some explicit text about this.

[Sakurann]

@peppelinux are you asking for an explicit text that Credential response cannot be a nested JWT because entire response is encrypted and signed credentials are contained as claims in the encrypted payload?