Conformance classes are not defined

[msporny]

The current specification does not define any conformance classes. This means that it is not possible for anyone to tell what is required from a conforming document or a conforming issuer implementation or a conforming verifier implementation.

The specification needs to define conformance classes for at least two things: documents/serializations and software/implementations.

[selfissued]

It's not at all clear to me that this is needed. In most standards I've worked on, it's implicit that you conform by implementing the normative statements that apply to your use of the specification. Why should this specification be any different?

[msporny]

It's not at all clear to me that this is needed. In most standards I've worked on, it's implicit that you conform by implementing the normative statements that apply to your use of the specification. Why should this specification be any different?

Not having conformance classes clearly specified makes it impossible for implementers to tell if their implementation conforms. For example:

• Is implementing just the SD-JWT parts of the specification and saying you have a conforming implementation enough? Or are you expected to also be able to process COSE secured documents as well.
• As an author, exactly what statements do you have to implement for SD-JWT vs. COSE secured documents?
• Is a VC-JWT secured payload conforming in any way?

The current specification does not draw these distinctions and they are important for implementers to understand the different types of "things" they can conform to in the specification. It's clear that there isn't ONE thing in the specification that can be conformed to... at a minimum, there are conforming documents, probably two different forms of them at least (SD-JWT and COSE) and there are conforming processors, probably two different forms of them for SD-JWT and COSE.

It's important to be explicit about these sorts of things to prevent vendors from claiming conformance to the specification when what they've decided to do is just implement whatever they want to and then claim that the rest of the conformance statements don't apply to them.

Clearly defining conformance classes makes this activity much easier. Not clearly defining conformance classes has negative effects in the ecosystem as implementers can then choose which normative MUST statements to implement and which ones to ignore.

[decentralgabe]

Can add some text that states you can conform to either the JOSE or COSE sections and what conformance looks like for each one. Should be straightforward.

[decentralgabe]

Will address this after #201