text about effective client id in DC API can probably be improved

[jogu]

https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#dc_api_request says:

It's not completely clear that the two highlighted sentences apply only in the case of unsigned requests. I think we should consider moving this whole paragraph to the unsigned request section.

https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#appendix-B.3.4.1 says:

I am not sure it is good to use "effective Client Identifier" here. Effective Client Identifier is only defined in the context of unsigned requests, so written like this is it possible for people to get confused as to what client id the wallet should use in signed requests. Possibly just removing 'effective' would solve it.

Mentioned by Martijn during the ISO mDL meeting today.

My understanding of the working group position is that the client id for signed requests is always the client_id parameter found in the request object. (With a possible exception for cases where the signature can't be validated depending on what happens with #395)

[jogu]

Agreed on WG call today to go ahead with a PR to clarify it does mean the authenticated client id.

[c2bo]

When re-reading the Client ID Schemes text, I also stumbled over the formulation of web-origin:

web-origin: This Client Identifier Scheme is defined in (#dc_api_request). The Wallet MUST NOT accept this Client Identifier Scheme if the request is not sent via the Digital Credentials API defined in (#dc_api).

Shouldn't we also change this to say already here that this Client ID Scheme MUST NOT be present in the request, but is constructed by the wallet? "The Wallet MUST NOT accept this Client Identifier Scheme if the request is not sent via the Digital Credentials API defined" seems simply wrong - a Wallet should never accept a request containing a web-origin based client ID currently unless I am mixing something up?

[c2bo]

Will be fixed by #448

[Sakurann]

#448 merged