Fetch vct from URL or from registry

[alenhorvat]

https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-05.html#section-6.3.1

Is defining that if vct is an https:// it should check the metadata under the well known (at least the 2nd part of the text reads like this:

i.e., by inserting /.well-known/vct after the authority part of the URL.)

Many registries are, and will be accessible via URLs, hence the metadata type is expressed via an URL; Adding or maintaining a .well-known might not fit in the existing API designs. Also note that .well-known has well-known issues with multi-tenancy. Most use cases will delegate the hosting of the information to registries.

Also

URL https:///.well-known/vct/, i.e., by inserting /.well-known/vct after the authority part of the URL.

Questions:

• if schema is https, should the full URL be provided? (no ambiguity with .well-known, you can host schema on github, ...)
• metadata retrieval category re-consideration:

1. Fetch vct from a remote source:
   a) URL: HTTPS schema -> full URL that points to a schema
   b) URN: domain-defined URN that MUST be understood by the wallet; The URN method defines how to map the URN to URL and retrieve the data

2. Fetch vct the metadata locally
   a) local cache
   b) Signature (signed or unsigned header); Whether or not metadata is shared in the (un)protected header is defined by the signature format, hence out of scope of this document.

2b: point to consider for the OID4VP: should there be a flag: "archival mode" or similar, that would flag that the wallet needs to provide all the referenced content in an unprotected JWS header?