Pruning short-lived credentials

[reinkrul]

With OpenID4VP, the Authorization Server will issue an EmployeeCredential (to the user's session wallet) for each initiated OpenID4VP flow. These will all be stored in the issuer's SQL database, never cleaned up.

Potential solutions:

• An apparent simple solution would be to introduce a cleanup-job for the issuer store, but when the Nuts node is used as primary VC issuer (e.g. CiBG), automated cleanup of issued credentials might destroy administration? Might also break statuslist2021?
• Alternatively, we could introduce a "store in issuer administration" flag, but that feels like hacky design (and leads to awkward APIs).
• Automatically clean up short-lived credentials
• ...

The requirements question behind it is; when would an issuer be cleaning up issued VCs?

[woutslakhorst]

These particular credentials do not have a CredentialStatus entry so they are non-revocable. Therefore there's no use in storing them in the issuer DB. They are also not issued via an API but via an internal interface. Primary use of the issuer DB is to search for revocable VCs.

For auditing purposes I would store them at the usage side, not the issuing side.