Description
As an observation during an interop testing, the latest spec does not explicitly require use for each JSON Web Key from the request client_metadata.jwks; therefore, test verifiers may not be setting this property their encryption public key.
Given that the spec text suggests that the key may not just be used for encryption purpose, not having use could cause ambiguity when there are two keys of the same type, used for different purposes. The holder could pick a wrong key that is supposed to be used for different purpose to perform the response encryption.
It would be nice to clarify the expectation in the OpenID4VP spec to eliminate such ambiguity. Is it always true that the jwks keys shall always be used for encryption? Otherwise, can we require key use at least for the encryption key, or have some solution on the line to make sure that the holder will always know what key to pick for response encryption?