Limit options supported for the format and resolution method for image based assets in credential issuer metadata

[tplooker]

Currently in places like the credential issuer logo as merged in openid/OpenID4VCI#170. The logo is permitted to be a URI which can being either a network resolvable reference like an https based URL or a data based URI. Furthermore it can be an image of a variety of formats such as an svg, png and or JPEG. Collectively these options represent a significant interoperability issue for implementations and a potential security issue due to the surface area of general purpose URI schemes like data URI's which have capability well beyond image encoding, such as allowing for encoding javascript which opens a potential risk around RCE.

[Sakurann]

wg discussion:

• move it to HAIP since it is mainly an interoperability issue

[Sakurann]

suggestion is to allow data URIs and remote https urls, limit the content types to svg and png

[Sakurann]

and add security considerations such as below from https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-08#section-8.1.2.2-8

When rendering the SVG template, the consuming application MUST ensure that malicious schema providers or issuers cannot inject executable code into the SVG template and thereby compromise the security of the consuming application. The consuming application MUST NOT execute any code in the SVG template. If code execution cannot be prevented reliably, the SVG display MUST be sandboxed.

[Sakurann]

WG discussion: this is an expectation only when the wallet shows the image-based assets received from the issuer. (MUST)

[jogu]

suggestion is to allow data URIs and remote https urls, limit the content types to svg and png

WG discussion: this is an expectation only when the wallet shows the image-based assets received from the issuer. (MUST)

Further discussed on this morning's WG call: Clarification that this then means it's upto the issuer which variants of this they use, and then if the wallet/verifier want to actually display the images (which is likely recommended for user experience reasons?) they need to support both variants of both options (data url + https uri, and svg + png)