Currently a wallet has no way of knowing whether the issuing authority requires a proof of possession in the Credential Request. From my point of view there are two ways we can remedy this:
Add a parameter in the credentials_supported issuer metadata object that indicates whether a PoP is required.
Add some normative text which would require wallets to send a PoP if proof_types_supported in the credentials_supported issuer metadata object is not omitted and contains at least one element.
Personally I prefer explicit indication over implied so I have raised the PR showing option 1, but I am open to other opinions and options.
Sakurann
commented
8 months ago
Apologies for the out-of-order PR-then-issue, I didn't realise an issue was required for raising a PR.
As stated in https://github.com/openid/OpenID4VCI/pull/87:
Personally I prefer explicit indication over implied so I have raised the PR showing option 1, but I am open to other opinions and options.