Security Considerations for Encryption

[GarethCOliver]

from PR #505 , add security considerations around when encrypting of request and/or the response is useful.

[GarethCOliver]

Proposed points:

• Used for providing confidentiality of data in the Credential Request and Credential Response beyond the endpoints of TLS.
• Example use cases: Composite issuer server infrastructure, Composite Wallet clients with different security postures (most notably wallet server-client architecture)
• Issuer encryption key must be either retrieved directly, or be able to verify the owner of the key (such as using signed_metadata).
• In cases where the termination of TLS and the termination of the application-encryption are within the same component, application-layer encryption provides no additional benefit.
• While encryption does protect the confidentiality of the data, it does not help against other attacks that may result in access to the data (such as theft of the access token, impersonation of the client, or swapping of the encrypted request).