Add section on processing of metadata

[danielfett]

In #140, we defined some rules especially for signed metadata.

In general, we should add sections that normatively define how metadata must be processed and verified. This should in particular include checks that the necessary elements are present and have the correct values, e.g., the sub in the signed metadata.

[jogu]

I think we also need to make clear that the credential_issuer value needs to be checked that it matches the credential_issuer value that was used to form url the file was retrieved from. (i.e. same as OIDC/OAuth AS metadata.)

[Sakurann]

WG discussion:

• defined processing rules for signed_metadata in redesign signed Issuer Metadata #202
• to resolve this issue, do a PR on what @jogu is suggesting in Add section on processing of metadata #207 (comment)
  • do a pass if anything else is needed to be defined