[JARM] Additional clarifications about signed JWT, Nested JWT and encrypted JWT

[peppelinux]

Regarding the section Signed and/or Encrypted Responses.

To provide concrete guidance for implementations, I suggest the following change:

To sign, or sign and encrypt the Authorization Response, implementations MAY use JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) [@!JARM].

to

To sign, encrypt, or both sign and encrypt the Authorization Response using a Nested JWT [RFC7519], implementations must utilize the JWT Secured Authorization Response Mode for OAuth 2.0. (JARM) [@!JARM].

In addition to this, I would open a conversation about how a wallet is supposed to provide its public keys to the verifier for the signature validation, when the signed JWT or the Nested JWT is used. I suppose using wallet_metadata and or wallet instance attestation. we need to better clarify this if we agree

[Sakurann]

please do a PR for your suggested updated text. I thnk it makes sense.

[Sakurann]

In addition to this, I would open a conversation about how a wallet is supposed to provide its public keys to the verifier for the signature validation, when the signed JWT or the Nested JWT is used. I suppose using wallet_metadata and or wallet instance attestation. we need to better clarify this if we agree

I think we have a separate issue on this?