Make Issuer metadata normative

[paulbastian]

As I stated in the WG Call, I believe that credential_configuration_id is the better choice. In general, I have trouble understanding how OpenID4VCI works well without metadata, as the Wallet needs to known:

• the credential endpoint
• supported proof types
• supported credentials and formats
• display data for the issuer and the credential

Therefore I believe in productive environment it will be very common that the Issuer has the ability to host metadata.

Originally posted by @paulbastian in #219 (review)

As stated in #219 I believe that Credential Issuer metadata should be mandatory, it just doesn't make sense to me with the current specification otherwise.

[jogu]

As mentioned in #219 (comment) I think there are two separate but related questions:

1. Are credential issuers required to have metadata?
2. Does credential issuer metadata need to list all the credentials the issuer supports?

People were reluctant to agree to '2', and there's precdent for this in OAuth, e.g. in https://datatracker.ietf.org/doc/html/rfc8414#section-2 the AS isn't required to list every supported scope in scopes_supported.)

[Sakurann]

OAuth being framework, I am hesitant to require all issuers to have metadata. I think think discussion in issue #82 made it clear that some implementers want to have out of band discovery of the issuer metadata, and I don't see any reason why we should prohibit that.

[Sakurann]

Can this be closed in favor of #392, too? do we want a small PR clarifying that issuers do not have to list all credentials in the issuer metadata (which kind of implies the wallet has ways to obtain those credential configurations using means other than issuer metadata)?