chore: add recommedation about public key used in the jwt proof

[peppelinux]

This PR aims to remark an important aspect about the unlinkability of the credential through the holder key binding.

[aarmam]

I will add the same option for discussion, to solve enforcing the key to bind for CI, as described in openid/OpenID4VCI#292

OpenID4VCI has an option to use authorization_details parameter defined by Section 2 of RFC9396. The same specification could be used to convey authorization_details in token endpoint to specify the authorization details that a client wants the AS to assign to an access token. For example credential_jkt parameter could be introduced to force CI to accept proofs that match credential_jkt claim in access token.

This would enforce the CI (required by OpenID4VCI if they choose to implement it or by EUDI Wallet implementation profile otherwise) to verify that the key thumbprint in credential_jkt matches the key thumbprint in proof parameter.

The name and intention is similar to RFC 9449 dpop_jkt parameter, that you use also for sender-constrained access tokens, that can be used to bind the issued authorization code to a specific key.

I dont know if its overkill but you could consider using dpop_jkt in PAR request similary to enforce the DPoP key that can be presented in token endpoint for sender-constrained access token. But that is a separate issue.

OpenID4VCI states that

The Client can request issuance of a Credential of a certain type multiple times, e.g., to associate the Credential with different public keys/Decentralized Identifiers (DIDs) or to refresh a certain Credential

This could be achieved with authorization_details in a refresh token request to specify updated value of credential_jkt.