Write an algorithm for verifying VC/VP JWTs

[jyasskin]

@OR13 mentioned that the bulk of this algorithm is a call to either https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 or https://www.rfc-editor.org/rfc/rfc7519.html#section-7.2 (which one?), but the algorithm should include at least

• [ ] any "application decision"s that those specs ask for
• [ ] the restrictions from https://w3c.github.io/vc-jose-cose/#key-discovery
• [ ] a description of when any remote resources are dereferenced/fetched, for example to find controller documents and keys.

[OR13]

I took at stab at this in https://github.com/w3c/vc-jose-cose/pull/190

I'd prefer to tackle key discovery protocols separately from verification and validation.

Keep in mind that we still intend to generalize https://w3c.github.io/vc-controller-document/

Such that it can be cited regarding controller documents by this specification or other specifications that do not rely on JSON-LD document loaders for resolution or dereferencing.

As that work is not yet started / complete, the key discovery part of this issue won't be resolvable for some time, and it might be better to focus this issue on aligning with the "verification algorithm" part of the core data model:

• https://github.com/w3c/vc-data-model/issues/1362
• https://github.com/w3c/vc-data-model/pull/1338

[selfissued]

Addressed by https://github.com/w3c/vc-jose-cose/pull/190