Set DCQL query meta field to required

[cre8]

To fetch a credential via DCQL, it should be identified by a unique identifier like vct or namespace, but not by the structure based on field names. This can be tricky especially when using selective disclosure and increase the risk, that the wrong credential gets shared, I already happened in multiple projects where using a wallet that already included other credentials from other projects.

To avoid this, the meta field that includes the vct value for sd-jwt vc and namespace for mdoc in the credential query should be required than optional.

Todo:

• change from optional to require
• explain that a credential should always be identified by the type and not by the field (maybe added to privacy section or DCQL in general).

There is still the risk that a user will have two credentials with the same type (like club member card), but the verifier is able to limit it down to the issuer value or by defining the trust authorities.

@Sakurann I think this is a 1.0 change that should be included.

[charsleysa]

I think this was missed in #480 as the intent was to require vct / doctype as the DCQL query didn't make sense without it according to the WG discussion comment #413 (comment).

This should be added to 1.0 to meet the expectations of that discussion.

There is still the risk that a user will have two credentials with the same type (like club member card), but the verifier is able to limit it down to the issuer value or by defining the trust authorities.

There are use cases where many credentials of the same type from the same issuer is desirable so we need to make sure support for those use cases is not removed.

[c2bo]

I think it is the correct choice to classify meta as optional in the generic section - there might very well be credential formats that do not require that parameter in the future. In the credential-format specific parts, we might want to state that meta MUST be present for specific formats (sd-jwt vc and mdoc)?

[Sakurann]

WG discussion.

• leaning towards making meta mandatory, and if a specific credential format in the future might not need it, send empty object.
  • entire spec is written assuming Credential is identified using format and type
  • sounds like even ZKP will need meta
  • in the PR, make sure all examples contain meta